Tech Talk

Recent posts

Enterprise System Pitfalls: Summary
Today I’m wrapping up a series of posts on the broad topic of Enterprise System Pitfalls. In this series, my hope was to help shed light on the primary problems that cause us to miss budgets, fall short on capabilities, or completely fail when implementing an enterprise system. 

The Year in Review
As 2019 comes to a close, it’s time to count our blessings. One of mine has been the privilege (and fun!) of being able to reach out to so many interesting companies and get them to tell me what they’re doing that’s different, disruptive, and game-changing. The list of things I have to write about in future columns has only gotten longer in the nine months since I started writing this column.

Sustainable Innovation
Sustainability can yield multiple benefits to hotels. Saving energy and water yields direct cost savings. Revenue can be generated by guests who prefer to deal with businesses that minimize their environmental impact. And many would argue that conserving scarce resources is simply the right thing to do.

Meetings Innovation
The sale and delivery of groups and meetings is perhaps the most significant and under-automated functions for many hotels. Even though groups often account for 30% to 60% of revenue, most group bookings are still handled manually for most if not all of steps, as they move from a meeting planner’s research to a confirmed booking.

The biggest enemy to any system is complexity. In a system of inputs and outputs, such as an enterprise system, more complexity means more parts are used in interaction with inputs to create the outputs. Every part that must be built and maintained costs time and money

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.


SNEAK PREVIEW: WTF! (Why They're Freaking!)

by Marion Roger

(by Marion Roger; from Hospitality Upgrade’s Summer/HITEC 2016 Issue)
On March 7, 2016, the U.S. Federal Trade Commission (FTC) issued orders to nine companies requiring them to provide the agency with information on how they conduct assessments of companies to measure their compliance with the Payment Card Industry Data Security Standards (PCI DSS).The accompanying Order to File a Special Report compelled these entities to report on their policies, practices, budgets and handling of potential conflicts of interest between the PCI assessments and other services the companies might provide their clients (i.e., auditing and consulting).

David Lincicum, an FTC attorney in the division of privacy and identity protection, is the lead attorney on the study and is also managing this review. "We go into this looking to get information, to get some details about what the interactions look like," he said, and added that there wasn't any specific incident that prompted the probe. "It's become clearer and clearer that PCI is playing a major role (in payments today),” he said. “We want to look all of the ecosystems of the assessment, who has a role in it, the general effectiveness of the assessments. We will see what we will see."

The firms in question had 45 days to comply. That period has come and gone and officially there has been no news about the status of this investigation. The full story about the investigation appears in the Summer/HITEC issue of Hospitality Upgrade (June 2016), but there are some tidbits worth adding to the story that were not known at press time.

According to several attorneys contacted for the story, while the FTC does not have "authority to enforce compliance with PCI DSS, a private-sector standard established and enforced by industry participants, the FTC does have broad authority under Section 6(b) to issue orders inquiring as to the organization, business, conduct, practices, management, and relation to other corporations, partnerships, and individuals (of the entities to whom the inquiry is addressed).” The Commission’s 6(b) authority also enables it to conduct wide-ranging studies that do not have a specific law enforcement purpose. 

In the initial order, companies were required to provide copies of audits where the client was found to be out of compliance. There has been much discussion about whether counsel for the firms can push back on providing confidential information that could be harmful to their clients. Whether the pushback has taken place is unknown but sources point to a lot of legal maneuvering that will stall the investigation.

It turns out that the FTC probe will be examining, among other things, potentially excessive charges, inconsistency in enforcement, card brand influence and rampant conflicts of interest. That conflict-of-interest issue is all about the ability of qualified security assessors (QSA) to also sell to clients the software/hardware/services that they recommend as PCI-compliant. That is a very real and very unmistakable conflict of interest.

Another note: The FTC plans to explore the relationship between being declared PCI-compliant and the number of subsequent data breaches. A very old problem with PCI has been the card brand tendency to employ revisionist history to data breaches. No compliant merchant has ever been breached, they say, because when a compliant merchant has been breached, the assessment is re-evaluated and invariably removed. It's a classic 1984 theory. PCI works, so if any PCI-compliant merchant is breached, they couldn't have really been compliant. The problem there goes beyond it being a self-fulfilling prophecy. It stems from the flawed assumption that PCI compliance somehow equals that mythical perfect security – one that can't ever be defeated by a bad guy. 

"Just because there was a breach doesn't mean that there was unreasonable security or a PCI violation," Lincicum said. And that is the crux of the investigation. The FTC is ultimately looking into whether merchants and consumers are all lulled into a false sense of security because a merchant is "compliant."  If merchants are led to believe they are doing everything right and then are still breached, is there something wrong with the attribution of the label? Does that then make the entire process a deceptive practice? If both the merchant and the consumer are potentially deceived into believing things are okay when it is known that things are not, how fair is it to make a merchant pay for the full compliance approval process? If the entities know that the compliance label is actually useless, is it abusing its market position for profit?  

The FTC is getting into this deeply and it is a story to watch closely as the year progresses.

Addendum: The spotlight just got a lot hotter! This week the National Retail Federation announced that it has asked the Federal Trade Commission to conduct an investigation into the PCI council and standards saying "the group’s controversial practices raise antitrust concerns."  In a 19-page white paper submitted to the FTC, NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes” including the council. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”

According to the NRF, the "council’s practices raise antitrust concerns” for a number of reasons, including “general antitrust dangers when competitors collaborate on setting market standards” and “more targeted concerns insofar as they allow the networks to leverage their proprietary technology.”

Translation? The FTC is going to be REALLY looking at the PCI council with even more focus than when the story was initially covered for the HITEC issue. Watch this space (and read the story in the June 2016 issue)!
About The Author
Marion Roger
VP Business Development
Hospitality E Resources

Marion Roger, vice president of Hospitality E Resources (HER Consulting), is a specialist in the hospitality supply chain landscape who is currently leading an industry initiative to support guest data security and has developed a hotel-focused training curriculum on PII protection. With a speciality focus on electronic reservation systems, payment technology protection and data security, Marion is a regular on the speaker circuit and contributor to Hospitality Upgrade on these key topics.

Blog post currently doesn't have any comments.
Leave comment

 Security code