The Payment Card Industry Data Security Standard (PCI-DSS) has evolved over the years, but there are two major changes that will make protecting our guests’ personal data a revolution.
Unless you are just returning from a long holiday in some remote place in the world, you have heard Target got hacked over the holiday shopping season. There have been big breaches and hacks in the past; Sony, TJ Maxx and Heartland Payment Systems to name a few, but Target is special. Target being attacked has brought focus to not just PCI (because most consumers have no idea what PCI is), but far more importantly it has moved a spotlight on how companies protect the personal data of their customers.
The Great Target breach (Targetgeddon?) moved the needle for three reasons:
1 America’s middle class: I know the political parties seem to have a hard time finding America’s middle class, but I found them, and they are at your local Target. My wife shops at Target, my mom shops at Target, every family I know shops at Target. This is not a bunch of kids on their PlayStations, these are real families. The numbers I have seen are 70 million people have been directly impacted. Target had to fund 70 million letters written to people –some living paycheck to paycheck – explaining that their payment cards had been exposed. Target is paying for 70 million new payment cards and is providing credit protection and monitoring for 70 million customers. Now, customers who thought hacking and identity theft were someone else’s problem are worried about how we are protecting their information. Boom, your mom is now asking retailers questions about data protection.
2 The timing is right: When TJ Maxx was breached it was really too early for it to have a major impact. Customers were still a little distrustful of the electronic payment systems, and expected problems. People were still carrying cash and a check book. Guess what? People don’t complete cash transactions any more and I have no idea what drawer my check book is in. Debit is the new cash and retailers like Target want you to use your debit cards to reduce transaction fees. Most debit cards have identical protection to credit counterparts, but real money is removed, and it takes real time to get it back.?Double-boom, your PIN might be exposed in the same system as your debit card, and now money is being held in escrow until your bank makes it available to you.
3 Emailed receipts are becoming prevalent. No one wants to carry a receipt when they can have it instantly emailed, and have it un-crimpled, un-faded and un-lost forever. Target and other retailers (Home Depot, Square) make it easy to link your card number to your email address, so you just click yes next time you use that card and get your receipt. Boom, now your personal email address is linked to your credit or debit card.
This is the big boom for many consumers, because merchants that also have online shopping have your personal information (name, address, mother’s maiden name, city you were married in, and your email address). This is compounded by the fact that many typical customers use the same password for everything (ask Sony). The Target breach exposed much more then just credit card number, the attack stole personal information.
Targetgeddon has accelerated the discussion about the second part of the revolution, but this revolution has been planned for years – EMV or chip-and-pin payment cards. Major news outlets (CNN, Forbes, NBC, Wall Street Journal) went beyond an honorable mention for chip-and-pin, and informed our customers about how it works, with most touting it as the cure for all transaction theft evils. EMV is a technology that includes a smart-chip in your card that is inserted into a payment slot at a terminal, and then to complete the transaction you have to enter a PIN. Behind the curtain, your card, a number that the chip creates once your PIN is entered and your transaction data all merge into a single payment record, which can only be used once.
Doesn’t that sound wonderful?
Mag stripe cards are so easy to steal data from, skimmers are so small now, and far too few retailers are diligent about storing every payment card number in an encrypted format (raise your hand if you have been asked to fill out a form with your payment card number, address, signature and email or fax it back to some random location, now keep it up if you completed the form and sent it).
EMV sounds like a no brainer, a win for our customers and safer for merchants to transmit and process.
Here’s the catch: open your wallet. How many cards do you have that have a chip (no points for residents of places outside of the USA, almost every other country figured this out years ago)? I have exactly zero, and I have at least two that were issued in the last six months. Banks are simply not issuing these cards.
It gets worse. Call your merchant services provider or processor and ask for a list of terminals they have approved for hotels (retail and restaurant have a few); right now there are none with our service provider and we are with one of the largest in the world.
EMV will be “mandatory” in 2015 or 2016, if it is not extended again. All of us will be placing terminals at our desks to take chip-and-pin, plus magnetic stripe payments, at a cost of $350 to $1,000 per unit, plus the additional costs for interfacing to our systems, for a technology that will not be a dominant form of payment with U.S. consumers for at least five years.
In addition, one major misnomer is that EMV will eliminate your responsibility regarding PCI; this is not the case. Chip-and-pin, and other EMV transactions will be more secure, but your responsibilities to protect the storage, transmission and processing of credit card transaction data will change very little.
I predict (Crystal-Ball has not been updated to HD yet) that chip-and-pin payments will mostly skip the United States, and we will use other EMV technologies involving NFC and new Bluetooth standards to complete transactions. If you are buying terminals to meet the EMV chip-and-pin standards, make sure to spend the extra more to be able to take NFC, and Bluetooth 4+ if it is available.
The time is now to start treating all of our customers’ personal data like credit card data, even if they are not taking steps to protect it themselves. Forget about PCI, you should already be compliant, get ready for the personal information protection revolution.
Jeffrey Stephen Parker, CHTP, is the vice president and Chief Funologist for Stout Street Hospitality.
©2014 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.
Lessons Learned from Targetgeddon
Real network segregation, not just passing the audit and checking the box.
Your networks need to be separate and storage needs to be separate.
Real security is real security.
Of the PCI standards, 95 percent are just good security (read: common sense), stop playing at the edge of security to be compliant and focus on being secure.
Personal information protection is the new black.
It is now in the forefront of awareness for regular people.?
The biggest threat is your staff.
Spend some time making sure only members of your team that need data to do their job, have that data.
According to Business Insider:?The U.S. accounts for half of global payment card fraud, but only 27 percent of global transaction volume.
We are the problem, U-S-A! U-S-A!