Tech Talk

Recent posts

COVID-19 has caused many to reflect upon the fundamental operations of our global society and our day-to-day lives, including the way we travel. In hospitality, many are wondering how an industry that is so reliant on personal interactions can recover from the crisis and earn back guest confidence.

Lessons from The Last Dance
Posted: 08/10/2020

I don’t know about you, but I loved watching The Last Dance, the story of Michael Jordan & The Chicago Bulls' last season together and their journey to their 6th championship, and second triple win (3 years back to back, twice).

With the news cycle laser-focused on the looming threat of a COVID-19 second wave happening in nearly every territory, it is up to each and every hotel to ensure we are all fully compliant with virus safety guidelines in order to restore group booking confidence. And the only way to ensure compliance with these safety guidelines is through contactless and compliance technologies to give guests a strong guarantee of proper sanitization as well as peace of mind.

A great deal has been written over the years about the viability of moving a hotel’s property-management system (PMS) to the cloud to take advantage of the latest technologies, but hoteliers need to realize that it’s not the only viable option. All platforms have advantages, including self-hosted, private cloud and on-premise solutions that leverage the latest mobile, contact free and web-based technologies. Independent operators can still enhance the digital guest experience, support personalized and mobile check-in, deploy contact free technologies, and secure hotel/guest data even if their PMS does not reside in the cloud. It should not be a question of “Cloud or On Premise?” but rather “Does the PMS solve your business objectives in both technology and service?”

Much has been written in the mainstream hospitality press about the challenges COVID-19 has presented to the industry. Hotels are in more pain than at any time in our memories. Because of the extensive media coverage, I won’t dwell on this topic further in what is primarily a technology column. But it’s the background for this week’s column, and so merits acknowledgement.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.


Key Takeaways From the 2015 Verizon PCI Compliance Report

by Marion Roger

Verizon released the Verizon 2015 PCI Compliance Report on March 12. The 84-page report contains an overview of how ‘compliant’ companies are and the findings compare prior years’ results to current.

Hospitality Upgrade was invited to interview an author of the report. We asked regular contributor Marion Roger, VP Business Development, Hospitality Evolution Resources, to conduct an interview with Franklin Tallah, lead for hospitality for Verizon.

Note: About 20 percent of the companies covered by Verizon’s report were defined as “hospitality” (grouping hotels, online travel companies, airlines and restaurants.)

To help our readers cut to the chase, Roger asked Tallah, to share what he thought were the most important takeaways for our readers. Tallah’s responses are below:

1. During interim investigation assessments, only 12 percent of all the companies included in the study were compliant at the testing phase, meaning 88 percent were non-compliant at testing. Tallah indicated that the “least prepared industry” was the hospitality segment.  Only four percent of hospitality entities were compliant at interim testing level.  He went on to add that restaurants and travel companies (OTAs and airlines, technically part of the hospitality segment studied) actually fared better than hotels. Thus, given the three groups COMBINED scored an average of only four percent passing, one could deduce that hotels were even LESS than four percent compliant at the interim stage.  

He then expanded his comments to note the report found the hospitality industry as the sector that needs a longer remediation period, sharing they often struggled between the interim findings and fixing issues before the final stages. He attributed that in part to the hub and spoke structure of head offices and the portfolio of properties.

Roger asked if he was surprised that despite the increasing maturity of the standard and organizations’ understanding of it, attaining compliance remains far from easy. Tallah opined that although we operate in such a rapidly evolving threat landscape, the 12 requirements are a good starting point and yet so many are not even passing more than a few.

In particular, Tallah noted that of the 12 requirements, that hospitality companies typically passed only two of them in the interim stage: Requirement #1- having a firewall, and Requirement #12 – Maintaining security policies (an infosec environment.)   Of the other requirements (Principles 2 through 11 inclusive) the hospitality industry as a whole failed.

[For those needing a quick “cheat sheet”, the 12 PCI DSS requirements include maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining antivirus software, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.]

2. Of all the data breaches Verizon’s forensics team investigated over the last 10 years, not a single company was found to be compliant with all 12 PCI requirements at the time of the breach. That said, compliance is up on the whole. Between 2013 and 2014, compliance across the entire population studied, rose in every area except testing security systems.

Of the 12 PCI compliance requirements No. 11, Testing Security Systems, was the only requirement that experienced drop off; dropping from 40 percent to 33 percent compliance.

Tallah pointed out that while testing was a challenge for everyone, the 2014 report also uncovered that the hospitality” sector is the one that struggles the most with the internal vulnerability scan phase of testing. This test is monitored as a pass/fail, and the hospitality industry as a whole failed this phase.

3. He wrapped up with some interesting correlation findings related to the principles. The first finding is that on average, breached organizations were 36 percent less likely to be compliant with a given requirement. In particular 45 percent of the breached companies were not compliant on patch management and development security.

Tallah remarked that sadly the study illustrated one can see a clear correlation between those companies that are not fully PCI compliant and the level of risk they face.

There are a variety of angles to take on the report and a lot of detailed data to sift through.  Depending on the sector and role the reader, interpretation leads to either very positive or quite negative news. 

Delve into the report and grasp that as mentioned earlier, only 20 percent of businesses passed their most recent PCI compliance assessments. But remember: while this is better than the 10 percent compliance rate cited in the 2014 report, it’s important to note that of all the breaches reported by Verizon last year, “not a single company has been found to be compliant at the time of the breach,” underscoring the importance of PCI DSS compliance.

Clearly PCI compliance is only a single element of a much broader security and risk management portfolio. As Forrester Research highlighted on March 3 of this year: “If regulations are the beginning and end of your security strategy, you need to rethink your strategy. Compliance-based strategies have narrow controls that are of limited use to the entire enterprise.”

Click here to view the full report.

About The Author
Marion Roger
HRH Services LLC

Marion Roger is a specialist in the hospitality supply chain landscape who has led an industry initiative to support guest data security and has developed a hotel-focused training curriculum on PII protection. With a specialty focus on electronic reservation systems, payment technology protection and data security, Marion is a regular on the speaker circuit and contributor to Hospitality Upgrade on these key topics.

Blog post currently doesn't have any comments.
Leave comment

 Security code