Can Hotels Finally Secure Payment Data?
It was 12 years ago that the hotel industry first experienced a large breach of payment card data. Hotels and technology vendors have made very significant efforts since then, yet it is hard to identify a major hotel group that has NOT suffered at least one incident, and many breaches have been quite recent. Despite all the efforts, the Verizon 2019 Data Breach Investigation Report says that the accommodation industry is still the most common victim for Point-of-Sale (POS) intrusions (and based on their terminology, this includes breaches of Property Management Systems as well as POS systems). As much as hotels have improved security, hackers have improved their own methods to keep pace.
Much of the industry’s improved security can be credited to the implementation of tokenization solutions. Hotel systems can replace sensitive payment card data with what is essentially a reference pointer (called a token) to the actual card data, which is itself stored securely, often on a third-party site. The tokens are useless to a thief, so POS and Property Management Systems (PMSs) that use tokens (and don’t otherwise touch payment cards) cease to be targets. Most of the larger hotel groups have implemented tokenization, many following approaches recommended in the HTNG Secure Payments Framework for Hospitality. That framework was developed in 2011-12 and published in early 2013 after CIOs of several major hotel groups called on HTNG to develop a common industry approach to securing payment card data and identified the need for many of the solutions that have come to market since.
Tokenization efforts by hotel groups have focused mainly on the systems they manage themselves, usually including central reservations systems (CRSs) and loyalty databases and in many cases PMSs, but often excluding property-managed systems such as POSs and some PMSs. Vendors have stepped in to fill some of these gaps; many PMS and POS systems can now be deployed either without touching payment card data in the first place, or with support for tokenization solutions from various payment gateway providers.
Secure capture page services have also become commonplace; these are website and mobile app plug-ins that can securely collect payment card data. When a user needs to enter payment card information online, the secure capture page collects, processes, and (if needed) tokenizes the card data without that data ever being exposed to the hotel website or app.
The concepts behind these solutions are simple: move all sensitive payment card data into an isolated system that can be properly managed by security professionals. A few larger hotel groups do this in-house, while a much larger number use third party companies that specialize in the payments process.
Still, there are common gaps that expose hotel systems to raw payment card data and create risks of a breach. They also force costly and time-consuming compliance with the Payment Card Industry Data Security Standards (PCI-DSS). CRSs and PMSs receive bookings from third parties like online travel agents (OTAs) that often include raw payment card data. Although the card information can be tokenized before storing it in the hotel system, the raw card data is necessarily present while performing the tokenization. That means the hotel system has access to payment data – and can be breached.
Many hotels still use paper forms for credit cards, such as for event bookings and third-party room guarantees. These forms not only create a paper-trail risk but also require the manual entry of raw payment card data into a system, which then becomes a target for hackers. Meeting planners may email spreadsheets with rooming lists containing credit card numbers for individual guests. Hotels and contact centers take payment card data by phone (often on recorded lines) or by insecure email, meaning that recordings and email logs are vulnerable. Commercial and in-house solutions to these issues exist, but the in-house solutions bring at least some hotel systems back into the scope of the PCI-DSS requirements, increasing compliance costs and making the systems targets for breaches. Commercial solutions have improved, but historically they have been closed ecosystems around a single gateway or processor, requiring the hotel company to use a single provider and/or their preferred partners at all locations, which is impractical for many geographically dispersed hotel groups given that none of the providers are truly global.
The major hotel companies have addressed these issues in varying degrees, but often have little or no control over what happens at franchised hotels. Global brands often face additional gaps because they have hotels located in less-developed geographies where their primary service providers (gateways, acquirers, tokenization services) may not be supported. For example, the CRS may be able to tokenize a payment card in a reservation for an overseas hotel, but that hotel’s payment partners won’t have the ability to detokenize it. As a result, the CRS needs to detokenize it before sending it, again meaning the CRS is processing sensitive data, which tokenization is intended to prevent.
Independent hotels and regional groups have better options in many parts of the world, since they only need a solution that works in a single country or region (such as Shift4 in the United States), and some providers offer fairly comprehensive payment security suites. Often, companies like this work with local PMS and POS vendors and can provide good options for keeping payment card data out of those systems. Still, most can’t handle the “arrival” of payment card data into the system, such as when it comes from a central reservation service, an OTA, or via email, telephone, or spreadsheet.
This week I will look at some of the new tools that have emerged in in the past year or two to address some of these issues. Some of them won’t be practical for direct adoption by independents or smaller hotel groups, but many of the providers work with partners in the PMS or POS community. Knowing that the capabilities exist, even smaller hotel groups can have informed conversations with their PMS or POS vendors to see if they do or can offer or support these or similar solutions.
In 2013, the Secure Payments Framework for Hospitality identified a pressing need for a service that could intercept en route (such as between an OTA and a PMS) interface messages that contain payment card data, then replace the payment card data with a token and forward it on to the hotel PMS so that that system never had to touch raw payment card data. I’ve been looking for such a service ever since, and finally I found one. The PCI Shield product from PCI Booking does exactly this, accepting inbound reservation messages from channel partners, tokenizing the payment card, and forwarding the message on. PCI Shield also provides secure payment card capture from websites and mobile devices (many other providers also do these). It offers a solution for contact centers, where a secure payment link can be sent to the customer via email, text, or chat in real time. It works on outbound messages as well, reinserting the actual payment card data in place of the token, such as for sending a reservation from the CRS to a hotel that uses a different processor. I was very pleased to finally see such a solution. It still needs some work to meet all the needs of some hotels, but it is a major step forward. With many hotels getting 40% or more of their bookings from online channels, this represents a major exposure.
Another service from Sertifi addresses the challenge of eliminating paper-based payment authorizations, such as for group bookings or when a non-guest wishes to pay for someone else’s room. Sertifi added a secure payment capability to its preexisting e-signature products, for example enabling a meeting planner to sign off on a contract and submit payment through a single secure system. Sertifi can work with the hotel’s existing token provider and integrates with many PMSs and some sales and catering systems (if not interfaced, the hotel can securely view the payment card information and input it manually, although depending how this is done it may expose the PMS to the raw data). Sertifi can also support alternative payment methods such as Apple Pay and Alipay (assuming the hotel’s processor can).
Idem Hospitality has a good solution for secure entry of payment card data by meeting planners or group delegates, particularly where each guest needs to provide a credit card for room guarantee or deposit. The meeting planner can enter a rooming list, or individual guests can book into the group block, with payment handled securely. Idem eliminates the need for meeting planners to send spreadsheets and can bypass the need for customization of a reservation system to handle individual bookings into group blocks. Integration of payments also makes it simple for hotels to offer group delegates a broader set of options for prepayment and upselling.
For email reservations (which are still much more common than you might guess), Hotel Res Bot’s HERA solution provides a means of securing the payment data. HERA is an Artificial Intelligence solution that provides automated or semiautomated responses to email reservation requests, parsing and clarifying details in freeform text to enabled automatic entry into the PMS. To avoid having the customer send payment card information by email, once the request is fully clarified, the “bot” can send a confirmation with a secure payment link, keeping the payment card data out of the hotel system.
Most hotel groups rightfully want to get out of the business of managing credit cards in their own systems, and with tools like these, more of them can.
These tools can be extremely useful to some hotels in reducing exposure to credit card breaches, but for most hotels, gaps will still remain. Hackers most often gain entry by finding the weak point in a hotel’s network – whether it is the CCTV system, the PBX, or the parking system, or something else. They use remote access and default or stolen login credentials. Once into the first system, they then traverse the internal network to find systems that have sensitive data. Network segmentation can help prevent this, by making every message from one system to another traverse a firewall. Universal multi-factor authentication can make remote entry much more difficult. However, few hotels are equipped to manage security measures like these internally. So, it’s encouraging to see service providers such as Security Validation now offering security as a managed service. These practices can protect not only payment card data, but all personal guest data.
More innovation and product development are still needed in payment security, but 12 years after the first major breach, I can finally see some light at the end of the tunnel.