Managing compliance in the hospitality industry [Q&A]
Even for businesses in sectors like finance and healthcare where compliance and security is ingrained in the culture, protecting sensitive information is a major challenge.
For other sectors where it's incidental to the main business, compliance can be a major headache. With new payment card security requirements and other regulations like GDPR coming into force, businesses in sectors like hospitality need to up their game. We spoke to Geoff Milton, security strategist at data protection company ShieldQ to find out how the hospitality industry can overcome the headaches associated with compliance.
BN: What effect will the changes to PCI-DSS regulations have on businesses that take card payments?
GM: In under a year, the next major version of the payment card industry standard, PCI DSS, 3.2, will take effect.
The revisions have been made, according to the PCI DSS, to meet the 'growing threats to customer payment information' with changes put in place to protect consumers against loss or fraud. It reflects the fact, also, that there are greater security risks for those handling credit card data.
With the latest iteration, to comply with the new standards, businesses will need to implement multi-factor authentication for all non-console administrative access and all remote access in the cardholder environment. The deadline for organizations to comply with this new requirement is February 1, 2018.
BN: Are there particular issues for the hospitality sector?
GM: Most certainly. In fact, the hospitality sector accounts for the highest number of cards lost in any data breach, according to a recent report. This comes down to a number of factors: the use of outdated, legacy systems, not investing in the latest security technologies, lack of clarity on who 'owns' data security within the organization and the fact that, for cyber criminals, businesses handling card data in this sector represent a highly lucrative target.
The requirements for PCI compliance provide a framework for bolstering payment data security, particularly for the storage of cards used for guaranteed booking and, rather than being viewed as an exercise in paperwork, can be seen as an opportunity to put better security defenses in place.
One of the PCI DSS's new requirements is to ensure that service providers' executive management establish responsibility for protecting cardholder data and a PCI DSS compliance program. Businesses that are already PCI compliant will need to introduce processes to meet the new requirements. They will also need to do reviews at least quarterly, to ensure staff follow security policies and operational procedures. However, there are further challenges for anyone who isn't PCI compliant already. It's likely they will have to scramble to gain accreditation and they may not make the February 1st deadline. That's why we'll probably see a lot of organizations turning to third-party, outsourced solutions that can provide PCI compliance almost instantly.
It's notable that trade associations are also urging the industry to take action. For example, The Association of South African Travel Agents CEO, Otto de Vries, has noted that the International Air Transport Association (IATA) is lighting a fire under travel agents. Apparently, IATA sent out a communication stating that if current or potential agents want to be IATA accredited, they must become PCI compliant by March 2018.
BN: Is there a need for greater awareness of where responsibility for compliance lies?
GM: I'd say it's more of an awakening: organizations can no longer fool themselves into believing that they can self certify as PCI compliant, or erroneously place such assertions on their websites and marketing content. For too long, there's been complacency, or perhaps even a misguided belief, that a data breach won't happen to their organization. But it only takes one incident to occur for an organization's reputation to be damaged -- not to mention the considerable penalties, possible class action suits and bad press.
BN: Can outsourcing help hospitality businesses avoid the pitfalls of PCI?
GM: Absolutely. If you have an external service provider, they become your watchdog, taking on the burden of PCI compliance with all that this entails: instilling security policies, ensuring hardened infrastructure and QSA accreditation. Then, you don't have to worry anymore. Ultimately, using an outsourced provider, so that this data doesn't enter your infrastructure and that you remain out of PCI scope, provides peace of mind.
BN: How will other new regulations, like GDPR, affect the hospitality industry?
GM: Organizations worldwide -- not only in the EU -- will need to be extremely vigilant when dealing with EU citizens' personally identifiable information (PII) and cardholder data. They will need to be sure that such information is well protected against any data breach.
Those who are already PCI compliant, however, will find that the road to GDPR will be easier, since PCI DSS standards, as you know, are quite stringent.
The only missing element -- albeit a challenging one -- is the requirement to discover where personal data is located, catalog it, and store it in a secured environment, ready for retrieval if an individual asks to view it, remove it or any other request.
Beyond the issues of achieving compliance and the threat of fines, there are good commercial reasons for meeting these regulatory requirements. These provide an opportunity to really take stock of existing measures in place to safeguard payment data and to see how these can be improved to prevent a data breach. Protecting against possible loss of data, loss of revenue and even loss of business, is worth taking seriously.
The risks of non-compliance are simply not worth taking.