Essay Sample: Hotel PCI Compliance

logo_disclaimer
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
University/College: 
Middlebury College
Type of paper: 
Essay
logo_disclaimer
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

PCI compliance is a realistic goal for every hospitality enterprise. Payment Card Industry (PCI) is a system in which a company uses debit, credit, prepaid, ATM, and POS cards and other associated businesses. It is a group of security standards meant to ensure that all companies and firms that receive process, store and transmit credit card information maintain a secure environment. As it is common in many business enterprises, credit card security is a big problem, and the PCI compliance is the only starting point for information theft strategies. Compliance with PCI standards and regulations mainly aims at curbing the issue of hackers and thieves. The PCI Security Standards Council has continually acknowledged new technologies that help to protect cardholders information and also give guidelines and regulations which must be adhered to by every business entity.

In the recent years, the hospitality industry has been hit hard by breaches in credit cards and theft of cardholders data. Most of the hospitality organizations are ripe for the picking due to the high numbers of transactions, and employees who may have been poorly trained in the prevention of card fraud. Furthermore, most hoteliers have this belief that they are not at risk of card fraud because they use payment systems that conform to PCI Security Standards. Stakeholders in the hospitality industry are encouraged to put more focus on security and not only compliance. The most efficient and straightforward means of maintaining ongoing compliance is through an intensive internal resource. By so doing, one can have an individual or team that not only helps prepare for a compliance evaluation but also establishes the protocol to monitor and maintain PCI compliance and security. Compliance with PCI standards and regulations serves as a good foundation for enhancing credit card security in a hospitality business entity. One primary PCI concern to the hospitality industry is the issue of chargebacks. These chargebacks range from a cardholder disputing a charge for damage, a no show, or a late cancellation charge. Such chargebacks end up bringing losses to the business.

PCI compliance within the hospitality industry requires the following; building and maintaining a safe network, protection of the cardholder data, maintain a vulnerability management program, implementation of strong access control procedures, regular monitoring, and network testing, and maintenance of information security policies. In PCI compliance, several items should be considered. First, there should be access. The management should review who has access to view the guests complete credit card numbers in the property management system. Only the employees with a business-oriented purpose should be allowed to see guests full credit card numbers in the systems. Also, the party in charge should review if the credit cards may be imprinted at the place of business, especially in the hospitality sector where most clients pay via credit cards. Also, there should be the review of safe storage of registration cards. Under the PCI requirements, any printed documents containing any personal or other data that is private must be physically secured with the access restricted at all times adequately. In other words, all cardholder information must be obtained, whether on written paper or in an electronic system. There must also be a review where sales and catering files are stored. It is usually a violation of PCI rules if this information is not under lock-and-key. Also, there must be a review of sales and catering electronic systems. It ensures all the cardholders information is secure and not prone to hackers or tampering of the clients information by the employees of the hotel (HackerGuardian,2008). The credit card data must be entered in the designated fields for such purposes in the system. Lastly, there should be a review if credit card information is written on a sticky note placed on the employees personal computers. However, passwords and other private information should not be in plain sight or easily attainable by the rest of the employees.

It is therefore clear that PCI compliance in the hospitality industry is a multi-disciplinary approach. IT, accounting and all operational employees in a restaurant or other hospitality facilities must work in close cooperation to implement and maintain the requirements of PCI compliance. All stakeholders in the hospitality industry should be made aware of the myths and facts concerning the compliance of PCI. By so doing, there will be effective and efficient compliance in at all levels of this industry. One major myth that is common is the POS masking off all but the last four digits of a credit card number. It is only a small part of PCI compliance, and there may not be enough security of the card holders details. Another misconception is that POS vendors only sell systems that are PCI compliant. Restaurants and hotels may contact other non-compliant hotels and restaurants. Thirdly, hospitality operators should be informed of the myth that PCI compliance is costly. Although PCI compliance involves monetary and labor costs, credit card issuers have also fined merchants for noncompliance in amounts that are way bigger than compliance costs. Also, the rumor for franchises handles compliance should be addressed. It entails the belief that if a hospitality enterprise is a franchise of a brand, then PCI compliance is supposed to be treated by the franchisor. Each hospitality industry must be certified independently for the compliance of PCI (Bradley, 2007).

It is important also to acknowledge the importance of technology in the compliance of PCI in the hospitality industry. Unlike other industries in the economy, hotels, and restaurants, have a tendency to keep card information in various places. Such venues include central reservations, the front desk, card authorization forms, card imprints and sales and catering files. All these places make card data prone to theft. While many restaurants and hotels believe that they need to retain credit-card information for particular reasons, it is precisely the reason why they are at risk. By changing the storage techniques of credit card information, hotels can institute a strong line of defense against cyber criminals. Practices such as card imprinting, accounting reconciliation, credit authorization forms, and information storage for events and catering clients should be re-evaluated. By only capturing and storing the payment data when it is unconditionally necessary risks of evidence falling into the wrong hands can be minimized.

As information security threats in the hospitality industry evolve, PCI compliance plays a significant role in ensuring that card data is safeguarded. It calls for hotels to adopt more sophisticated data security technologies such as tokenization and encryption. Through encryption, hotels and other hospitality facilities encrypt data from one point to another, and therefore meaningful information is protected. End-to-end encryption safeguards payment card data from the swiping moment, to the whole processing network. Using this technology in the hotels helps to scramble sensitive information prior entering a merchants system. Cyber criminals will, therefore, find no commercially-valuable information in the system. Through tokenization, sensitive card information is replaced with a token during the process of the card transaction. It makes it possible for the management of the hotel to access the card information they need for business purposes without leaving the full 16-digit payment account number available for all. Unlike in encryption, tokenization does not allow for the reversal to reveal original data.

Compliance with PCI standards and regulations is necessary to hotels as it helps to safeguard all important clients information. It is, therefore, a must for all hotels to make the necessary investments to keep card information safe. Hoteliers should not complain about the high cost of PCI compliance, as charges of a breach are even higher. With the right technology and drive, the hospitality industry can substantially reduce the cybercrime on credit cards. To ease the burden and cost of PCI compliance, it is important to lessen the scope of conformity through the elimination of unnecessary card data that exists at hotels. Similarly, the reduction of non-useful credit card information helps in reducing storage costs and the risks of the data being stolen. Depending on the nature of the hotel, the creation of credit card data inventory should be considered. Compliance also calls for the management of data.

Hoteliers should learn that it not only about becoming compliant to PCI requirements, but also maintaining compliance. Recently, there have been numerous reports of the breach that are mostly due to inadequate vigilance to the compliance efforts by hoteliers (Berezina,2012). Hoteliers should put into consideration the following factors when maintaining the compliance efforts in their businesses. First, there should be an installed intrusion detection system (IDS) and file monitoring. Also, if the intrusion notifications are not dealt with in a timely way, the organizations credit-card information could be compromised. Secondly, hoteliers should make sure that all systems and network configurations are well documented and that all data is stored safely. It should be noted that all configuration changes should be documented to ensure that all changes are identifiable in the files. Incoming IT personnel should be oriented first on how the system functions to promote effectiveness and sustainability of PCI compliance. Thirdly, it is a recommendation that regular audits of operational policies be conducted to ensure that they are being enforced as per guidelines. Similarly, the staff at the hotels should undergo regular PCI compliance training and education to update the staff of any significant changes in the program. Fourth, hoteliers should conduct regular audits of password policies to ensure that they are being upheld. It will help in securing the cardholders data and other relevant business information from cyber criminals. Fifth, the management of the hotels should conduct regular vulnerability scans which contribute to highlight any deficiencies in the network and thus act appropriately (Bau, 2010). Correction of such vulnerabilities in the system helps to prevent breaches in the future and compromise of critical data. Sixth, the management of the hotels should incorporate modern technologies which offer high-level data security to the business. Continuous evaluation of technologies such as tokenization and encryption are considered a crucial part of PCI compliance and should, therefore, be adhered to by all in the hospitality industry. Lastly, it is encouraged that hoteliers should regularly hold PCI compliance meetings and formulates methods to track compliance of the program (Woda, 2007).

 

References

Bau, J., Bursztein, E., Gupta, D., & Mitchell, J. (2010, May). State of the art: Automated black-box web application vulnerability testing. In Security and Privacy (SP), 2010 IEEE Symposium on (pp. 332-345). IEEE.

Berezina, K., Cobanoglu,C., Miller, B.l., & Kwansa, F.A. (2012). The impact of information security breach on hotel guest perception of service quality, satisfaction, revisit intentions and word-of-mouth. International journal of contemporary hospitality management, 24(7), 991-1010.

Bradley, T., Chuvakin, A., Elberg, A., & Koerner, B. J. (2007). PCI Compliance: Understand and implement effective PCI data security standard compliance. Syngress Publishing.

HackerGuardian, C. (2008). PCI Approved Scanning Vendor.

Woda, A. (2007). Achieving compliance with the PCI data security standard....

logo_essaylogo_essay

Request Removal

If you are the original author of this essay and no longer wish to have it published on the ProEssays website, please click below to request its removal: