As hotels have expanded efforts to connect and service their guests digitally they have increasingly become lucrative targets for data stealing cyber criminals. Data security breaches involving hotels have unfortunately been reported extensively in the news, causing damaged brand reputations over top the already significant financial loss for hoteliers. Hotels have a responsibility and obligation to ensure the security of the highly sensitive personal information entrusted to them by their customers. To that end, two distinct and equally important guidelines of compliance have been developed regarding the handling, storage and utilization of the personal information customers share with the brands they patronize.
The transient nature of the hospitality industry, with a new batch of guests arriving everyday at hotels bearing their fresh personal and credit card data, offers cyber thieves a steady stream of potential victims. This is the reason hotels make such lucrative targets for such crimes. These criminals utilize malware, software designed to access all the customer’s credit card information through any payment system. This includes not only the numbers and expiration dates, but the verification codes as well.
PCI (payment card industry) compliance standards are designed to provide a guideline for a series of minimal security measures to be adhered to by every business which stores, processes, and transmits the data of all cardholders. Called the PCI Data Security Standard (PCI DSS), all merchants must follow these standards in order to enter into contractual agreements with the banks that process the cards.
Simply put, whereas PCI compliance standards protect credit card transactions, PII compliance standards protect all other forms of personal data collected by hoteliers from their guests. PII stands for personally identifiable information and includes highly sensitive personal data points such as an individual’s name, date of birth, phone number, email address, IP address, and bank account information among others. Every time a guest books a hotel, joins a loyalty program, or chooses to follow a brand on social media for example, the information is stored and used in marketing campaigns directed at the individual. Additionally, this information is shared and utilized across many platforms, well beyond the original point of interaction.
PII compliance standards are regulated and enforced to varying degrees in a very fragmented way around the globe. This is the intended goal of the upcoming roll out of more robust regulations for the European Union called the GDPR (General Data Protection Regulation), to address this issue uniformly for EU citizens. This is an event which will have far-reaching impact. Even for hoteliers outside of the European Union.
In part three we will take a more in-depth examination of the EU’s GDPR and how it brings far-reaching repercussions with it for all hotels on a global scale.