Tech Talk

Recent posts

Definitely Doug 6/9/23: Hotels Fighting Trafficking: The Role of Technology
Posted: 06/09/2023

This week I want to address an important issue for the hospitality industry, albeit one that technologists have not historically had on their radar. They can potentially play a significant role in addressing the issue, which is human trafficking, and more specifically sex trafficking.

In my last column, I reviewed some key trends in autonomous mobile robotics for hotels, and dove into three categories of delivery robots in more detail – room delivery, food delivery, and heavy-lift robots. This week I will round out the topic with several other robot types and applications, as well as general guidance for evaluating, acquiring, and adopting mobile autonomous robotics. If you have not yet read part one, I recommend going back and doing so before continuing below, as some of the introductory material is important background to what follows.

Read More +

Best Practices for Hotel & Resort Operators in Pool Season 2023
Posted: 05/25/2023

With the arrival of warmer weather and summer fast approaching, hospitality operators are gearing up for another pool season. This year, technology is at the forefront of driving booking revenue and taking operational efficiency to the next level. Modern technology platforms (such as hospitality’s newest technology category – the Property Experience Management System or PXMS) are providing brand new capabilities that unlock new strategies and approaches to filling the pool with satisfied guests.

Read More +

The Growing Role Technology Plays in Hotels and Restaurants
Posted: 05/25/2023

In the past few years, hotels and restaurants have grown into hubs for entertainment, leisure, and human connection. In an effort to best serve their guests, operators have begun rethinking their technological investments and working to adapt to recent shifts in consumer preference and operations. To ensure that guests have the best on-site experience possible, brands are increasingly looking to new technologies to make their experiences more convenient and comfortable. Advanced property management systems (PMS) and point-of-sale (POS) systems can increase operational and staff efficiency, while also meeting changing customer expectations for a high-value but relatively low-touch experience.

This week I will return to a topic I have covered before, because it has, within the last 12 to 18 months, become one of the hottest-growth categories in hospitality technology. That topic is autonomous mobile robots – specifically, ones that can move around the facility as well as perform specific tasks. Many of these products were launched pre-Covid but were often seen at the time as more of a marketing gimmick than a legitimate operational solution.

Read More +

comment on this article

SNEAK PREVIEW: WTF! (Why They're Freaking!)

06/07/2016

by Marion Roger

(by Marion Roger; from Hospitality Upgrade’s Summer/HITEC 2016 Issue)

On March 7, 2016, the U.S. Federal Trade Commission (FTC) issued orders to nine companies requiring them to provide the agency with information on how they conduct assessments of companies to measure their compliance with the Payment Card Industry Data Security Standards (PCI DSS).The accompanying Order to File a Special Report compelled these entities to report on their policies, practices, budgets and handling of potential conflicts of interest between the PCI assessments and other services the companies might provide their clients (i.e., auditing and consulting).

David Lincicum, an FTC attorney in the division of privacy and identity protection, is the lead attorney on the study and is also managing this review. "We go into this looking to get information, to get some details about what the interactions look like," he said, and added that there wasn't any specific incident that prompted the probe. "It's become clearer and clearer that PCI is playing a major role (in payments today),” he said. “We want to look all of the ecosystems of the assessment, who has a role in it, the general effectiveness of the assessments. We will see what we will see."

The firms in question had 45 days to comply. That period has come and gone and officially there has been no news about the status of this investigation. The full story about the investigation appears in the Summer/HITEC issue of Hospitality Upgrade (June 2016), but there are some tidbits worth adding to the story that were not known at press time.

According to several attorneys contacted for the story, while the FTC does not have "authority to enforce compliance with PCI DSS, a private-sector standard established and enforced by industry participants, the FTC does have broad authority under Section 6(b) to issue orders inquiring as to the organization, business, conduct, practices, management, and relation to other corporations, partnerships, and individuals (of the entities to whom the inquiry is addressed).” The Commission’s 6(b) authority also enables it to conduct wide-ranging studies that do not have a specific law enforcement purpose.

In the initial order, companies were required to provide copies of audits where the client was found to be out of compliance. There has been much discussion about whether counsel for the firms can push back on providing confidential information that could be harmful to their clients. Whether the pushback has taken place is unknown but sources point to a lot of legal maneuvering that will stall the investigation.

It turns out that the FTC probe will be examining, among other things, potentially excessive charges, inconsistency in enforcement, card brand influence and rampant conflicts of interest. That conflict-of-interest issue is all about the ability of qualified security assessors (QSA) to also sell to clients the software/hardware/services that they recommend as PCI-compliant. That is a very real and very unmistakable conflict of interest.

Another note: The FTC plans to explore the relationship between being declared PCI-compliant and the number of subsequent data breaches. A very old problem with PCI has been the card brand tendency to employ revisionist history to data breaches. No compliant merchant has ever been breached, they say, because when a compliant merchant has been breached, the assessment is re-evaluated and invariably removed. It's a classic 1984 theory. PCI works, so if any PCI-compliant merchant is breached, they couldn't have really been compliant. The problem there goes beyond it being a self-fulfilling prophecy. It stems from the flawed assumption that PCI compliance somehow equals that mythical perfect security – one that can't ever be defeated by a bad guy.

"Just because there was a breach doesn't mean that there was unreasonable security or a PCI violation," Lincicum said. And that is the crux of the investigation. The FTC is ultimately looking into whether merchants and consumers are all lulled into a false sense of security because a merchant is "compliant." If merchants are led to believe they are doing everything right and then are still breached, is there something wrong with the attribution of the label? Does that then make the entire process a deceptive practice? If both the merchant and the consumer are potentially deceived into believing things are okay when it is known that things are not, how fair is it to make a merchant pay for the full compliance approval process? If the entities know that the compliance label is actually useless, is it abusing its market position for profit?

The FTC is getting into this deeply and it is a story to watch closely as the year progresses.

Addendum: The spotlight just got a lot hotter! This week the National Retail Federation announced that it has asked the Federal Trade Commission to conduct an investigation into the PCI council and standards saying "the group’s controversial practices raise antitrust concerns." In a 19-page white paper submitted to the FTC, NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes” including the council. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”

According to the NRF, the "council’s practices raise antitrust concerns” for a number of reasons, including “general antitrust dangers when competitors collaborate on setting market standards” and “more targeted concerns insofar as they allow the networks to leverage their proprietary technology.”

Translation? The FTC is going to be REALLY looking at the PCI council with even more focus than when the story was initially covered for the HITEC issue. Watch this space (and read the story in the June 2016 issue)!

About The Author

Marion Roger
President
HRH Services LLC

Marion Roger is a specialist in the hospitality supply chain landscape who has led an industry initiative to support guest data security and has developed a hotel-focused training curriculum on PII protection. With a specialty focus on electronic reservation systems, payment technology protection and data security, Marion is a regular on the speaker circuit and contributor to Hospitality Upgrade on these key topics.