In turn, this reduces the cost and complexity for hotels of all sizes in complying with the Payment Card Industry Data Security Standard (PCI-DSS).
The hotel industry is widely reported to be one of the most frequent targets of credit card thieves. The structure of the hotel business contributes to its vulnerability, as it typically requires that customer payment card information be available for use over a period of weeks or months. Additionally, the hotel booking ecosystem requires frequent exchange of payment card data among unrelated businesses, such as OTAs, brands and franchisees. Compounding these risks is the fact that many hotels are independently owned small businesses that lack the technical expertise and budget required to implement payment card security measures that can keep pace with the increasing sophistication of criminal organizations attempting to steal this information.
The HTNG Secure Payments Framework for Hospitality builds upon, rather than replaces, extensive payment card security solutions that several major hotel groups, as well as their payment service providers, have already implemented, the organization said. In particular, it supports all known variations of tokenization, a widely used approach that replaces sensitive payment card data with a token, or marker. Hotels can use tokens to process payments, but they expose no sensitive customer credit card information to potential thieves.
The Framework also incorporates emerging payment card industry approaches for card capture (e.g. swipe devices) based on point-to-point encryption (P2PE).
The framework also provides a guideline for accepting third-party reservations containing payment card information, without exposing at least one hotel system (and often many) to sensitive card data. It also allows customers to provide payment card data during voice reservation transactions, without exposing the agent, call center system or call recording systems to PCI scope.
It also focuses on allowing unrelated business entities (e.g., brands, franchisees, OTAs) to send reservations with payment card data, without exposing either party’s systems to sensitive card data, and without requiring the parties to use the same security approach, tokenization provider or payment gateway.
And finally, the framework looks to support the research of credit card transactions by hotel staff, such as for dispute investigation; the acceptance of payment card data through hotel websites; and accepting information submitted by customers through e-mail, fax or document upload (e.g. a meeting planner spreadsheet), without exposing hotel systems to the PCI scope.
The organization said that it has opened up the document to PCI-qualified security assessors (QSAs) in North America and Europe to review the HTNG Secure Payments Framework for Hospitality over the past 18 months. The evaluations to date support the position of participating hotels that the Framework incorporates known best practices, and — when properly and fully implemented – can remove hotel systems from the scope of onerous PCI validation requirements.
Today, those requirements typically apply to property management systems (PMS), point of sale systems (POS), central reservations systems (CRS), booking websites, e-mail systems, fax servers and other applications commonly used by hotels. Both HTNG and the QSAs remind hotels, however, that even though their systems may be taken out of scope for PCI compliance by implementing the Framework, other PCI requirements still apply, as they would for any merchant that accepts payment cards.
Achieving this objectives removes the most difficult and expensive aspects of PCI compliance for hotels. While some larger hotel companies may still choose to retain payment card data in certain systems, the Framework allows this to become a conscious choice, rather than a necessary risk of doing business.
“The objective is to let hotels focus on hospitality, and let the payment services industry deal with payment card security,” said Douglas Rice, HTNG’s CEO.
He added, “This is a major milestone that has the support of the leading companies in our industry,” said Rice. “But it will only be fully effective in protecting hotel customers if every hotel company, every independent hotel, every application vendor, every distributor, and every payment service provider uses it. By making it widely available and freely usable, we will accelerate the adoption of the solution that can soon make payment card information breaches and the high cost of PCI compliance yesterday’s problem for hoteliers.”