The hospitality industry, especially hotels, is vulnerable to data breaches. In 2009, 38 percent of the breach investigations by security firm Trustwave were at hotels. Financial services firms accounted for 19 percent of investigations during the same period.
There does not even have to be an actual breach for a business to suffer consequences. If a merchant is even suspected of a breach, the following can occur:
A team of PCI-DSS security auditors may visit the business to perform:
- A computer network review of every device, computer and server, testing for multiple security weaknesses.
- Security audit of any wireless connections including whether a guest can access the company’s systems.
- An attempt to penetrate networks from the perimeter, especially to systems where credit card numbers are stored.
- A review of manual processing, document filing and all other security policies.
- An examination of all antivirus software, firewalls and any other electronic security measures.
- A test of the phone lines to determine if there are listening modems or other such devices present.
These examinations can take from several days to several weeks, causing significant disruption to any type of business, let alone a service-orientated one.
The cost of the examination is absorbed by the merchant, between $5,000 and $20,000, whether an actual breach of any kind has occurred or not.
It is not just PCI-DSS audit teams that hotels need to be concerned with. The Federal Trade Commission (FTC) has filed a suit against a major hotel chain claiming breaches exposed over 650,000 card holder accounts. These breaches have resulted in millions of dollars in fraud losses. The FTC alleges that the company has not met its own standards as defined in customer privacy policies.
While the case is still pending, a significant amount of management time and money has been spent in defending and countering the original suit. Had well-documented standards been followed (both the company’s standards and industry standards) the incidents could have been prevented.
A business does not have to be large to suffer significantly from noncompliance.
A microbrewery/restaurant in California unknowingly stored over 12,000 full credit card numbers on its point-of-sale system, even though only the last 4 digits should have been stored. The business was identified as being a common purchase point for some cardholders that had been compromised.
The bookkeeper noticed that the company’s checking account did not contain credit card deposits and contacted the bank. The bank stated that the account had been frozen because of fraud on some cardholder’s accounts. This caused the restaurant to bounce checks to suppliers and others.
Visa and MasterCard fined the business $27,000 and the point-of-sale system had to be upgraded at the cost of over $5,000, even though a breach was never totally proven.
In another case, a franchisee of 23 fast food restaurants experienced multiple breaches of its point-of-sale systems. The company has spent over $250,000 in fees and fines, $45,000 for three forensics audits, as well as a $20,000 per year audit fee, regardless if they pass the audit or not. In addition, a security company had to be retained to work with the point-of-sale vendor to ensure ongoing compliance.
“The breach caused immense frustration,” said a senior manager from the franchisee. “The fines were financially burdening and the breach did damage to our customer confidence.”
Another interesting case is that of a Utah restaurant that has filed a suit against its credit card processor. The processor received a $90,000 fine by Visa and MasterCard for noncompliance by the restaurant, and, by contract, passed this on to the owners. The owners filed a counter suit claiming the contract was unfair. They further alleged that terms of the contract changed without notice and that fines were random and imposed without the chance of filing a dispute. A September 2012 ruling by a judge was viewed as favorable to the plaintiffs, however the outcome is still pending. The case could have implications for the future enforcement of merchant agreements if the restaurant prevails.
There are many other cases affecting entities in the hospitality industry. While some have called the PCI standards unfair, a “near scam” and other unflattering things, they remain part of the merchant agreement with credit card companies such as Visa, MasterCard, American Express and others.
The best course of action for a hotel or restaurant is to hire a qualified company or individual to review its particular situation and bring it to the recommended standards as quickly as possible.
Geoff Griswold is a field engineer and general manager of the Omni Group, an IT services company specializing in the hospitality industry. He can be reached at (678) 464-2427 or geoff@atlantaomnigroup.com.
©2013 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.