Stop the Breaches: Hotels Must Secure Payment Card Data Better

By Victoria Goodwin, Marketing Communications Specialist

News headlines recently have been filled with reports of hotel chains falling victim to large data breaches. Intercontinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide, including Holiday Inn, recently experienced a large data breach that impacted at least 1,200 of its properties, compromising the financial and personal data of an untold number of guests. And just this month, Sabre Corporation, which provides the reservation system software used by more than 32,000 hotel and lodging establishments around the world, was the target of a major data breach that stole payment card information and other customer data. In fact, many of the hospitality industry’s most prominent names have all fallen victim at one time or another to data breaches that exposed customers’ payment card information, including Kimpton Hotels, Starwood Hotels, Hyatt, Hilton, Trump Hotels (twice), Mandarin Oriental and White Lodging (twice).

Hotels are prime targets for hackers because in addition to holding payment card information on guests, they also hold a wealth of other sensitive personal data that can be used for identity theft. However, in the U.S., it’s actually the recent transition to EMV chip-enabled payment cards and readers that has caused cybercriminals to increasingly target hotel chains. That’s because in the past, cybercriminals typically compromised the point-of-sale (POS) systems used by retailers and restaurants. They would steal the payment card data embedded in the card’s magnetic strip, then encode it onto counterfeit cards to be used at physical locations to buy products that could be easily sold for cash. Now that more countries around the world have migrated to EMV-compliant POS systems, those types of attacks are harder to carry out. Instead, cybercriminals have shifted their focus to card-not-present (CNP) fraud and are targeting industries where consumers are making their payments and reservations over the phone – such as hotel contact centers.

Hotel operators can better protect their guests’ payment card data and other sensitive information by keeping it out of the call center altogether. Using technology that performs dual tone multi-frequency (DTMF) masking, like Semafone’s, hotels can securely take payments over the phone by simply having guests enter their card details into the telephone keypad. With DTMF suppression, neither the hotel representative on the line, nor a malicious eavesdropper, can determine the payment card numbers that the guest entered. The data is routed directly to the payment gateway so the sensitive information is not held in the call center infrastructure or other unsecured areas of the business.

Falling victim to a data breach that compromises guests’ payment card data or other personal information can be disastrous for a hotel brand. The average cost to clean up after a data breach in 2016 was $4 million (USD)! But, by using new technology solutions that keep payment card data out of the call center, hotel operators can greatly strengthen their data security posture and make themselves a much less attractive target for hackers – something that will help both guests and hotel management sleep easier at night.

With stronger security practices for handling guests’ sensitive data, the hotel industry as a whole can transform itself from being one of the most likely targets for data breaches to becoming a model for data security, thereby ensuring that fewer customers ever have to go through the experience of having their identity stolen. Guests can sleep peacefully, knowing that their data is secure, and the hotel can rest assured that its name won’t be making headlines as victim of a costly data breach.

To learn more, read Semafone CEO Tim Critchley’s commentary in Hotel Management and Hospitality Magazine.

Stop the Breaches: Hotels Must Secure Payment Card Data Better
Semafone