February 25, 2016
By Tony Ashe, Executive Vice President of Business Development, MiFinity
When a payments professional hears the term “high-risk merchant,” the image of a payday lending operation or 1-800 line may come to mind. But surprisingly, hotels—even large well-known corporate brands—wear the unwelcome high-risk merchant tag, too. Should they, though?
Certainly, many high-profile data breaches have impacted the hotel sector in recent years. In fact, Hilton Worldwide, the Mandarin Oriental Hotel Group, Starwood Hotels, and White Lodging Services Corporation (a franchise operator for many Hilton, Marriott, Holiday Inn, Westin and Sheraton hotel locations) all have experienced well-publicized breaches of customer credit and debit card information in just the last three years.
While each of those hacks made headlines, however, they weren’t necessarily hotel-specific. Infiltrated point of sale (POS) systems at the hotels’ restaurants, bars, and gift shops were found to be the source of each breach (and the resulting credit card fraud). A reported 38 percent of all credit card fraud stems from the hospitality industry—but with POS hacks highlighted as the most noteworthy examples, it can seem as if a hotel’s chief vulnerability area may simply be a cash register outside the lobby.
And therein lies a major issue. Hotels do possess huge vulnerabilities to fraud and other forms of financial crime, for a multitude of reasons largely unique to their industry. But the hospitality-sector-specific weaknesses don’t make for headline-grabbing news… and that makes them all-too-easy for industry executives to ignore.
Some of the fraud vulnerabilities of hotels are obvious: large numbers of frequently rotating guests, reservations, and card-based transactions; frequent chargebacks; and heavy interference from hotel personnel (just to name a few). Other risk areas are less easy to spot, however, and “chaining” is one of those.
Chaining: A Risk that Flies under the Radar
Chaining is the process by which hotel brands transfer consumer data from their central reservations systems to connected third parties and franchises. Despite what the public may perceive as a unified brand, many individual hotels are independently operated under a franchise model—and the independent outfits rarely are as committed to data security and fraud prevention as their overarching corporate brands are.
Hotels, for example, are bound by the requirements of PCI DSS—the Payment Card Industry’s Data Security Standards. Under those guidelines, corporate-owned-and-operated hotels deploy data encryption, network firewalls and physical security measures to mitigate their fraud risk and maintain PCI Compliance. But, even if a brand’s central reservations system is compliant with the PCI DSS requirements, the systems of 92 percent of independently owned and operated hotels —with which large brands frequently chain consumer data—are not, and often lack any meaningful data security or data privacy programs.
That creates a glaring vulnerability for the capture of consumer credit card information. Through chaining, hotel brands are transmitting their customers’ cardholder data to non-compliant partners daily—and often injecting no supplemental protections into the process beyond the data encryption required for the corporate brand’s PCI compliance.
Given the inherent risks of the chaining process, tokenization—which has been largely underutilized in the hospitality sector to date—may be hotels’ best tool for protecting consumers. Tokenization safeguards payment card data by substituting a cardholder’s primary account number (PAN) with a randomly generated, one-time, virtual card number (i.e., a token) and bundling it with business rules for its exact use (where, when, and by whom). Because the token is uniquely generated for one specific transaction, there is no way to trace it back to the original card number or apply it for any purpose beyond the intended use.
Without PAN exposure, the fraud risk associated with chaining goes down significantly: A brand that transmits only tokenized transaction information to its franchise hotels doesn’t have to worry about those franchises (or any hackers) unencrypting, mishandling or misusing original card data.
Tokenization to the rescue?
Tokenization isn’t a panacea for hotels’ financial crime risks—especially since so much hotel-incepted fraud stems from insufficient security at the gift shop or bar. But tokenization can make a tangible impact. Applying a trusted tokenization solution for fraud prevention puts hoteliers in a stronger negotiating position with payment services providers, potentially helping them lower processing fees, and it practically eliminates the inherent vulnerabilities of chaining with connected third parties.
So while it won’t take them off the “high-risk merchant” list any time soon, tokenization can help hotels better protect themselves from new and existing threats—and protect their reputations in the process.
Tony Ashe is executive vice president of business development for MiFinity Payments. Formerly known as NXSystems, MiFinity Payments is a global payment solutions provider with offices in the U.S., U.K., Ireland and Malta that provides secure, cost-effective payment products for global companies including those in the travel and gaming industries.