Recently I was asked by a global hotel group with a solid North American name, to send, not just a typed fax of my standard payment card details, but an image of the front and back of my payment card. In doing so, the hotel operator is receiving the card verification code on the back. As Tia D. Ilori, business leader of the Americas Payment System Security Group with Visa Inc., reminded readers of Hospitality Upgrade in the fall of 2013, any merchant that stores a copy of that code – even if it’s a printed copy – does so in violation of the PCI DSS requirement that prohibits storage of this code.

Often the focus is on technology when covering data security and privacy. PCI DSS clearly emphasizes the IT component and we all further the myth that solid IT is key to the formula of protecting guest card data and profiles. While this is an easy way to help executives sleep at night, don’t be one of those who nods off, lulled to the arms of Morpheus (Greek god of dreams and sleep).
 
When it comes to reservations, the industry standard is to send via XML into the CRS or the PMS, or from the CRS to the PMS. But why aren’t we talking about the amount of notifications from one system to another that when failing, resort to faxing as the backup?

For those with enquiring minds, here’s the backstory.  Reservation processing is commonly divided into two categories referred to as reservation notification and reservation request. In a reservation notification, the entity that took the reservation (online travel agency, chain headquarters, call center) sends details of a booking that is already confirmed to the hotel or corporate system. The booking will typically have been confirmed to the guest before the notification process starts (because they have already been given the inventory, price and availability). Thus at this point, literally, the seller is notifying the PMS or CRS about a confirmed booking.
 
The terms “push” and “pull” are applied frequently in reference to the models of connectivity and data exchange that are employed between hotel distribution systems. HEDNA defines this as follows: the originator or publisher (online travel agency, chain headquarters, call center) initiates or triggers the message flow that sends data to the recipient.

In a push model, the originator/publisher is the active party and the recipient of the data is passive. The best analogy to illustrate the nature of push notification is the comparison between a text message and a phone call. A text message is a push transaction: the source of the message is the active party, and the message is delivered to a passive recipient.

Here’s where it gets interesting. Take a moment and consider the amount of hotels worldwide and the quantity of electronic reservations processed per day and then think about it on a monthly basis; it is completely realistic to say that hundreds of thousands of push notifications fail. Trust me, many failures happen.

Any time a push notification goes to the recipient and the message returns an undeliverable type of reply, the originator has to activate plan B so as to ensure the reservation is delivered.   That would be like you sending a text about your plane landing and when you don’t get the reply, calling to say, “Hey did you get my text? I am arriving at 3 p.m. Please make sure to get me at the airport!”

When a reservation push notice fails, guess what? The seller often resorts to good old fashioned faxing of the entire set of data associated with a reservation. And then you have a huge paper trail that boggles the mind.
 
Let’s look at this even a bit more. What about all the groups and meeting room rentals who are asked for a payment card to book a meeting contract. Recently I hosted a client from Europe in the NYC region and was asked for the $500 room rental fee to be guaranteed with my card. Why would I have to give them all this paper when a room costing the same amount is just held with card number over the phone? I refused and went to the hotel to guarantee the meeting room in person using my credit card, but I still had to fill out the full page of information that they then put in a binder (after getting the authorization for the full amount immediately). They told me that the page is filed in a ring binder...yes...this was only last month. The form has so much information and is held after our meeting for months if not longer. Why? Our meeting is over and we have left.

Remember, when sending payment card information through a fax transmission you risk the sensitive payment data that needs to be protected by the merchant. Fax transmissions sent or received through the Internet must be encrypted. Additionally, any systems such as a fax or email server that cardholder data passes through must be secured according to PCI DSS requirements. In fact, Ilori, drove home the point that this practice creates an unsecured channel. Paper printouts sitting on a fax machine typically lack the physical protection necessary to ensure that only authorized personal are able to access sensitive data. Hardcopy records with payment card details must be handled with appropriate caution.

Are you working with companies that offer a solution for the hotel space on faxed reservation data? There are innovators in the marketplace. Coming from medical and financial industries they are now working in the hospitality field to provide secure faxing with a twist. One standout is able to convert the data to an XML stream and it is knocking it out of the park with regards to those failed push notifications.
 
We are looking at the marketplace and are still in shock about the amount of paper that hotels keep with cardholder information and wonder how in 2015 we are still at this point? We know that everyone is aware of the increased activity by criminal entities, but we are still amazed! To that end, PCI Booking from the InterFax family features some innovative and compliant solutions (a level one merchant with an AOC nonetheless).
 
Messages transmitted by XML are received in a range of formats according to preferences defined by the recipient. Options include:

• Conventional fax (non PCI compliant)
• Conventional Internet fax (non PCI compliant)
• PCI DSS compliant fax (compliant)
• Email giving access to a PCI-Compliant portal with tokenized payment card data and virtual card image and instructions (compliant)
• API enabling integration directly with PMS, channel manager and booking engine applications and the delivery of tokenized payment data and virtual card image and instructions

As we head to HITEC (or if you are reading this on the way home) it’s time to start giving serious thought to whether you are building a house of cards with all the paper card information. Sleep well!

Marion Roger, VP Hospitality Evolution Resources, is a specialist in the hospitality supply chain landscape who is currently leading an industry initiative to support guest data security and has developed a hotel-focused training curriculum on PII protection.