Stories of serious data breaches are creeping into the news on a regular basis. Large organizations such as Wyndham Worldwide Group, Radisson Hotels Group, Tripadvisor, Facebook, eircom, Meteor and Ulster Bank have been hit in recent times and have received the type of publicity no business needs.
If you operate your hotel without the necessary measures to protect your business and your customers from a data breach, you are exposing your business and customers to risk. Without the proper controls your confidential information and your customers’ personal information and credit card details could be hacked into, causing immeasurable damage.
Bookassist operates in numerous jurisdictions and constantly monitors legislative developments across Europe for the benefit of our hotel clients. Here, I provide information on the standards and legislation in place to help protect your business and customer. I also highlight what actions have been taken by Bookassist to protect our hotel clients and their customers.
1. PCI DSS
What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) are technical and operational standards that were created by the major credit cards companies (Visa, Mastercard, American Express) in 2004. The current version of PCI DSS was released in October 2010. The standards apply to all organisations who store, transmit or process cardholder data. PCI DSS is an industry standard and is not actually a legal requirement in Ireland and many other countries.
The aim of PCI DSS is to set standards that assist in the prevention of fraud. Being PCI DSS compliant does not mean that you won’t have a data breach but it does mean that in the event of a data breach arising, the credit card companies will support you.
What you can / cannot do?
For starters, hotels or any business should not under any circumstances store CVC (card verification code) numbers. CVC numbers are personal numbers on credit cards and are similar to a personal signature. In the event of fraud arising, card details without CVC numbers are less useful to fraudsters.
- Access to machines which hold reservation information should be restricted and passwords should not be shared between staff.
- Cardholder information should not be kept or transmitted in an unsecure manner. Where you are sending or receiving cardholder information by fax or email, you need to ensure that the network used is secure and encrypted to protect the information. Standard email is not secure and shouldn’t be used for credit cards by anyone. The strongest risk in hotels is actually with credit card details on fax paper or printed emails being left lying around.
- Staff should be trained on the importance of protecting cardholder data.
Consequences of non-compliance?
Non-compliant businesses can face fines from the credit card companies, brand damage, potential lawsuits, insurance claims, difficult business conditions and a negative impact on customers. In the case of the data breach suffered by the Radisson Group, they had to contact guests to ask them to check their account statements for unauthorized purchases - hardly good for your image. Wyndham Worldwide Group were recently charged by the Federal Trade Commission in the US for three separate data breaches which, it is claimed by the FTC, resulted in $10.6m lost to fraud.
How Bookassist complies with PCI DSS.
Bookassist takes compliance with PCI DSS seriously and we go to considerable effort and cost to achieve the standards of compliance. All hotel clients of the Bookassist system must sign up to the PCI DSS standards, all access to our system is logged and access to the system is password protected (and passwords need to be re-set every 90 days). CVC numbers are never logged on the Bookassist system and are not available to hotels in accordance with PCI DSS. Customer cardholder data can only be viewed for up to one month following the customer’s departure date. After that date, the information is automatically deleted from the Bookassist system and cannot be retrieved.
In addition to this, Bookassist have a dedicated Security Officer with responsibility for all PCI DSS compliance and security issues, a full incident response team and response plan in the event of any issues arising and staff on call 24/7/365. We have invested heavily in hardware and software to ensure security and monitoring and we have an annual external audit, part of which consists of hack attempts at our systems and monitoring how these attempts are dealt with automatically by our system.
At Bookassist we feel that the investment we have made in PCI DSS compliance is important for us and for our hotel clients.
2. Data Protection
What is Data Protection?
Data Protection is the protection of personal data. Personal data means “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.”
The protection of personal data is a legislative requirement that stems in Ireland from Data Protection Acts 1988 - 2003. In all our core markets, Data Protection legislation is EU driven. The main Data Protection principles are as follows; (i) data must be obtained and processed fairly, (ii) it must only be kept for lawful purposes, (iii) data must only be processed for the purpose intended, (iv) data must be kept secure, accurate and up to date, and (v) data must only be retained for as long as it is necessary.
In Ireland the Data Protection Commissioner has responsibility for monitoring compliance with the legislation and for taking proceedings if needs be against persons or businesses who are in breach of the legislation. In recent times, the Data Protection Commissioner has taken proceedings against eircom and Meteor for data breaches relating to the theft of two unencrypted laptops containing details of over 10,000 customers. In these case, fines of €15,000 each were levied against eircom and Meteor for breaches of data protection.
Consequences of non-compliance?
Under the current legislation, non-compliance with data protection can attract fines of up to €100,000, criminal proceedings, civil proceedings by individuals and reputational damage.
On 25th January 2012 the EU Justice Commissioner, Viviane Reding announced significant future reforms of Europe’s data protection legislation. As part of the reforms heavier fines for non-compliance were announced - up to €1 million or 2% of global annual revenue for data breaches.
How Bookassist assists hotels with compliance
When guests are inputting their booking details on client hotel sites, the Bookassist system only requests information necessary for the completion of the booking process. In addition guests are requested to tick a box (opt in) to confirm if they want to receive any emails / marketing information directly from the client hotel. The Bookassist system then logs all access to the system.
For email marketing campaigns, it is important that the Guidelines set out by the Data Protection Commissioners are followed. These Guidelines state that:
Where you have obtained contact details in the context of the sale of a product or service, you may only use these details for direct marketing by electronic mail if the following conditions are met:
- The product or service you are marketing is of a kind similar to that which you sold to the customer at the time you obtained their contact details;
- At the time you collected the details, you gave the customer the opportunity to object, in an easy manner and without charge, to their use for marketing purposes;
- Each time you send a marketing message, you give the customer the right to object to receipt of further messages; and
- The sale of the product or service occurred not more than twelve months prior to the sending of the electronic marketing communication or, where applicable, the contact details were used for the sending of an electronicmarketing communication in that twelve month period.
NOTE: In relation to 4 above, if the subscriber fails to unsubscriber, they are deemed to have remained opted-in to for a further twelve month period from the date of the most recent marketing email.
The Bookassist system records for the hotel whether or not the customer has consented to receiving emails from the hotel and also the date of the booking to help the hotel to comply with the Guidelines.
3. Consumer Protection
What are the main principles?
In all transactions between businesses and consumers it is important that the information used is clear and transparent at all times. In Ireland the legislation stems from the Consumer Protection Act 1978 but in more recent decades is mainly EU driven. The legislation is constantly being updated to increase the requirements on businesses to protect consumers especially for online consumer transactions.
How does Bookassist assist hotels?
The Bookassist booking process is a clear three step process. At each stage of the booking process, the customer is asked to give their confirmation to move to the next stage. It is also made clear to the customer at all times what the total price of the room/package they are booking is and whether or not they are to pay a deposit at the time of booking.
Bookassist takes PCI DSS, Data Protection and Consumer Protection compliance seriously and invests effort, time and money on compliance on behalf of our clients. It is critical that your business is not exposed by dealing with non-compliant partners. The consequences of not checking your suppliers’ credentials could be enormous.
Elaine McCormack is Legal Counsel at Bookassist (bookassist.org), the technology and online strategy partner for hotels. Bookassist provides Site Builder web design, Traffic Builder PPC management and Booking engine services to drive direct business to hotels.