In lieu of black and white answers, we dug deeper to mine the truth from the corporate doublespeak. What we have uncovered is that more than 90 percent of hotels, whether they be franchised or managed, do not comply with or attest to being compliant with the Payment Card Industry standards.  Properties do not provide their staff with data security/privacy training, they do not have data security and data privacy policies, nor are they aware of any corporate policies guiding data security.

 These are interesting times for data security and privacy.  The companies breached and the number of consumers impacted has been staggering. News stories breaking as we write this article indicate that data leakage is on the rise and the battle is being lost. Information gathered during our research coupled with the cavalier attitude toward data security makes it surprising that there haven’t been significantly more losses in the hospitality space. Consumers have been fortunate, as the bad guys seem to have focused their attention to other industries, as there have been no significant security issues since the White Lodging and Houstonian breaches from earlier this year.
 
There is little doubt hotel brands must step up and enforce security standards with some gusto. Unfortunately, the legal environment is preventing them from doing the right thing. The industry is paralyzed, nervously watching and waiting as pending FTC litigation works its way through the courts. The use of “nervously” is probably an understatement because an adverse ruling will have far reaching implications that franchisors in every line of business are not and have not prepared to deal with. Franchisors in most cases have seemingly adopted a wait-and-see approach and have not taken any of the significant steps to prepare for what seems to be an inevitable outcome.

During a recent brainstorming session the question was raised: Is it safer for the consumer to use a third party to book a hotel stay? This is an interesting question.

Brand: Online Booking Transaction via a Brand
A common method to book a hotel room is through the brand’s online presence (i.e., brand.com). The consumer searches for properties based on his or her personal preferences. Once a hotel is selected the consumer will book the transaction, a process that includes entering personally identifiable information (PII) and credit card information for the purpose of confirming the reservation and guaranteeing the stay.
 
The data collected is transmitted from the consumer’s desktop to the brand’s data center. After traversing numerous systems and collection points, the data ultimately lands in the central reservation system (CRS). This is the first touch point and risk vector. All of the payment information and PII may or may not be encrypted during the transmission and may or may not be encrypted at rest in countless systems including the CRS. Data is then transmitted to the property to book the guest’s stay. This second touch point presents risks and challenges that experts have outlined many times. Is the data secured during transmission to the property?  Is the data secure once received and stored in the property management system? Beyond the control of the consumer, his or her data is being shared across multiple systems.

Upon arriving for his stay the consumer again presents his personally identifiable information and payment information. Human error and human risk are now introduced into the equation. It is not as uncommon as you might think for an unscrupulous front desk clerk to steal the credit and personal information of a guest. At check-in, many guests choose to use a credit card that is different from the one initially used to book the stay online. Now two cards are at risk being in the hands of a property that is likely not PCI compliant. The hotel may also ask for a credit card to use for incidental room charges. The consumer may choose to use yet another card and the consumer has up to three cards floating between the property and the CRS. This has the potential of putting the consumer into what we call maximum risk.

OTA Reservations
Taking a look at the same booking through an OTA, we see that the transaction is subtly different but provides significantly more protection for the consumer.
 
The consumer performs the same property search on the OTA website, selecting the best value for the best price. The consumer completes the booking much the same way by providing his personal and credit card information to the OTA. The consumer card data is stored at the OTA only. The OTA then sends the consumer booking information along with a single use credit card to the hotel systems for payment and processing. The CRS stores this data the exact same way as a brand online booking, and while the consumer’s personal information is retained, no payment information belonging to the consumer is transmitted or stored across multiple systems.

Arriving at the hotel the consumer can choose whether or not to provide a credit card or cash deposit to secure incidental purchases. There is no need to provide the hotel with any credit card information unless that is the option chosen by the guest.   Instead of risking his financial data multiple times for a single stay, the guest only submits it once and entrusts the OTA to protect the data. Not all OTAs handle transactions the same way, but the concept of the single-use card has been used by many of them since inception with little or no harm to the consumer.

OTAs were once simply an outlet to move excess inventory. Today they are forces to be reckoned with. They are key and integral components to the revenue generation strategy of many properties. And their utilization of single-use cards makes them effective protectors of consumer data.
  
OTAs were early adopters of Internet security best practices and have illustrated a commitment to the protection of consumer information. As service providers they are subject to the rigors of third-party PCI assessments. Although hotel brands are subject to the same level of assessment, the properties are not.
 
Few would argue that the responsibility to protect personal information falls on the individual. When the consumer books a reservation with a brand it is assumed the consumer data is safe because the brand is PCI compliant. At the point the brand shares the consumer’s data with a property that is not compliant or doesn’t operate in a compliant manner, shouldn’t the consumer be notified and the brand be responsible?

There are the numerous risks in the brand reservation flow that put consumers at risk. In our opinion and in the current environment, OTAs are the best way for consumers to protect their own data.