Blog category: pci

Safer and Better Online Business

By John Braine | On Thu, November 01, 2012

Stories of serious data breaches are creeping into the news on a regular basis. Large organizations such as Wyndham Worldwide Group, Radisson Hotels Group, Tripadvisor, Facebook, eircom, Meteor and Ulster Bank have been hit in recent times and have received the type of publicity no business needs.

If you operate your hotel without the necessary measures to protect your business and your customers from a data breach, you are exposing your business and customers to risk. Without the proper controls your confidential information and your customers’ personal information and credit card details could be hacked into, causing immeasurable damage.

Bookassist operates in numerous jurisdictions and constantly monitors legislative developments across Europe for the benefit of our hotel clients. Here, I provide information on the standards and legislation in place to help protect your business and customer. I also highlight what actions have been taken by Bookassist to protect our hotel clients and their customers.

1. PCI DSS

What is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS) are technical and operational standards that were created by the major credit cards companies (Visa, Mastercard, American Express) in 2004. The current version of PCI DSS was released in October 2010. The standards apply to all organisations who store, transmit or process cardholder data. PCI DSS is an industry standard and is not actually a legal requirement in Ireland and many other countries.

The aim of PCI DSS is to set standards that assist in the prevention of fraud. Being PCI DSS compliant does not mean that you won’t have a data breach but it does mean that in the event of a data breach arising, the credit card companies will support you.

What you can / cannot do?

For starters, hotels or any business should not under any circumstances store CVC (card verification code) numbers. CVC numbers are personal numbers on credit cards and are similar to a personal signature. In the event of fraud arising, card details without CVC numbers are less useful to fraudsters.

  • Access to machines which hold reservation information should be restricted and passwords should not be shared between staff.
  • Cardholder information should not be kept or transmitted in an unsecure manner. Where you are sending or receiving cardholder information by fax or email, you need to ensure that the network used is secure and encrypted to protect the information. Standard email is not secure and shouldn’t be used for credit cards by anyone. The strongest risk in hotels is actually with credit card details on fax paper or printed emails being left lying around.
  • Staff should be trained on the importance of protecting cardholder data.

Consequences of non-compliance?

Non-compliant businesses can face fines from the credit card companies, brand damage, potential lawsuits, insurance claims, difficult business conditions and a negative impact on customers. In the case of the data breach suffered by the Radisson Group, they had to contact guests to ask them to check their account statements for unauthorized purchases - hardly good for your image. Wyndham Worldwide Group were recently charged by the Federal Trade Commission in the US for three separate data breaches which, it is claimed by the FTC, resulted in $10.6m lost to fraud.

How Bookassist complies with PCI DSS.

Bookassist takes compliance with PCI DSS seriously and we go to considerable effort and cost to achieve the standards of compliance. All hotel clients of the Bookassist system must sign up to the PCI DSS standards, all access to our system is logged and access to the system is password protected (and passwords need to be re-set every 90 days). CVC numbers are never logged on the Bookassist system and are not available to hotels in accordance with PCI DSS. Customer cardholder data can only be viewed for up to one month following the customer’s departure date. After that date, the information is automatically deleted from the Bookassist system and cannot be retrieved.

In addition to this, Bookassist have a dedicated Security Officer with responsibility for all PCI DSS compliance and security issues, a full incident response team and response plan in the event of any issues arising and staff on call 24/7/365. We have invested heavily in hardware and software to ensure security and monitoring and we have an annual external audit, part of which consists of hack attempts at our systems and monitoring how these attempts are dealt with automatically by our system.

At Bookassist we feel that the investment we have made in PCI DSS compliance is important for us and for our hotel clients.

2. Data Protection

What is Data Protection?

Data Protection is the protection of personal data. Personal data means “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.”

The protection of personal data is a legislative requirement that stems in Ireland from Data Protection Acts 1988 - 2003. In all our core markets, Data Protection legislation is EU driven. The main Data Protection principles are as follows; (i) data must be obtained and processed fairly, (ii) it must only be kept for lawful purposes, (iii) data must only be processed for the purpose intended, (iv) data must be kept secure, accurate and up to date, and (v) data must only be retained for as long as it is necessary.

In Ireland the Data Protection Commissioner has responsibility for monitoring compliance with the legislation and for taking proceedings if needs be against persons or businesses who are in breach of the legislation. In recent times, the Data Protection Commissioner has taken proceedings against eircom and Meteor for data breaches relating to the theft of two unencrypted laptops containing details of over 10,000 customers. In these case, fines of €15,000 each were levied against eircom and Meteor for breaches of data protection.

Consequences of non-compliance?

Under the current legislation, non-compliance with data protection can attract fines of up to €100,000, criminal proceedings, civil proceedings by individuals and reputational damage.

On 25th January 2012 the EU Justice Commissioner, Viviane Reding announced significant future reforms of Europe’s data protection legislation. As part of the reforms heavier fines for non-compliance were announced - up to €1 million or 2% of global annual revenue for data breaches.

How Bookassist assists hotels with compliance

When guests are inputting their booking details on client hotel sites, the Bookassist system only requests information necessary for the completion of the booking process. In addition guests are requested to tick a box (opt in) to confirm if they want to receive any emails / marketing information directly from the client hotel. The Bookassist system then logs all access to the system.

For email marketing campaigns, it is important that the Guidelines set out by the Data Protection Commissioners are followed. These Guidelines state that:

Where you have obtained contact details in the context of the sale of a product or service, you may only use these details for direct marketing by electronic mail if the following conditions are met:

  1. The product or service you are marketing is of a kind similar to that which you sold to the customer at the time you obtained their contact details;
  2. At the time you collected the details, you gave the customer the opportunity to object, in an easy manner and without charge, to their use for marketing purposes;
  3. Each time you send a marketing message, you give the customer the right to object to receipt of further messages; and
  4. The sale of the product or service occurred not more than twelve months prior to the sending of the electronic marketing communication or, where applicable, the contact details were used for the sending of an electronicmarketing communication in that twelve month period.

NOTE: In relation to 4 above, if the subscriber fails to unsubscriber, they are deemed to have remained opted-in to for a further twelve month period from the date of the most recent marketing email.

The Bookassist system records for the hotel whether or not the customer has consented to receiving emails from the hotel and also the date of the booking to help the hotel to comply with the Guidelines.

3. Consumer Protection

What are the main principles?

In all transactions between businesses and consumers it is important that the information used is clear and transparent at all times. In Ireland the legislation stems from the Consumer Protection Act 1978 but in more recent decades is mainly EU driven. The legislation is constantly being updated to increase the requirements on businesses to protect consumers especially for online consumer transactions.

How does Bookassist assist hotels?

The Bookassist booking process is a clear three step process. At each stage of the booking process, the customer is asked to give their confirmation to move to the next stage. It is also made clear to the customer at all times what the total price of the room/package they are booking is and whether or not they are to pay a deposit at the time of booking.

Conclusion

Bookassist takes PCI DSS, Data Protection and Consumer Protection compliance seriously and invests effort, time and money on compliance on behalf of our clients. It is critical that your business is not exposed by dealing with non-compliant partners. The consequences of not checking your suppliers’ credentials could be enormous.

Elaine McCormack is Legal Counsel at Bookassist (bookassist.org), the technology and online strategy partner for hotels. Bookassist provides Site Builder web design, Traffic Builder PPC management and Booking engine services to drive direct business to hotels.

Labels: security, reputation, pci, legal, data protection

Share this post on:

  • Google+
  • Digg
  • Del.icio.us
  • LinkedIn

​Why You Seriously Need PCI-Compliant Partners

By Des O'Mahony | On Wed, September 18, 2013

Don’t Risk It

If you operate your hotel without the necessary measures to protect your business and your customers from a hack or data breach, you are exposing your business and customers to risk. If you use online partners who are not fully compliant with the Payment Card Industry’s standards, then you are the one who will ultimately suffer. Without the proper controls your confidential information and your customers’ personal information and credit card details could be hacked into, causing immeasurable damage.

You need to protect your reputation by making sure that your most valuable asset - your customer - and their data is managed well. PCI Digital Security Standards (DSS) compliance gives you the peace of mind that your suppliers know what they are doing.

Bookassist operates across many countries and constantly monitors international legislative developments for the benefit of our hotel clients.

  • Bookassist is PCI DSS compliant, was one of the first in the online bookings business to be compliant, as has retained compliance for many years.

  • Bookassist is a registered VISA Merchant for PCI purposes - just search for Bookassist on this link: https://www.visamerchantagentslist.com/

Before you engage with an online provider, search for their status on https://www.visamerchantagentslist.com/ and request their PCI-DSS compliance statement.

What is PCI DSS?

Payment Card Industry Data Security Standards (PCI DSS) are technical and operational standards that were created by the major credit cards companies (Visa, Mastercard, American Express) in 2004, and have been upgraded continually since. The standards apply to all organisations who store, transmit or process cardholder data. PCI DSS is an industry standard and is not actually a legal requirement in Ireland and many other countries.

The aim of PCI DSS is to set standards that assist in the prevention of fraud. Being PCI DSS compliant does not mean that you won’t have a data breach but it does mean that in the event of a data breach arising, the credit card companies will support you.

What you can / cannot do?

For starters, hotels or any business should not under any circumstances store CVC (card verification code) numbers (also known as CVV or CVV2). CVC numbers are personal numbers on credit cards and are similar to a personal signature. In the event of fraud arising, card details without CVC numbers are less useful to fraudsters.

  • Access to machines that hold reservation information should be restricted and passwords should never be shared between staff.

  • Cardholder information should not be kept or transmitted in an unsecure manner. Where you are sending or receiving cardholder information by fax or email, you need to ensure that the network used is secure and encrypted to protect the information. Standard email is never secure and should never be used for credit cards by anyone. The strongest risk in hotels is actually with credit card details on fax paper or printed emails left lying around.

  • Staff should be trained on the importance of protecting cardholder data.

Consequences of non-compliance

Non-compliant businesses can face fines from the credit card companies, brand damage, potential lawsuits, insurance claims, difficult business conditions and a negative impact on customers. In the case of the data breach suffered by the Radisson Group in recent years, they had to contact guests to ask them to check their account statements for unauthorized purchases - hardly good for your image. Wyndham Worldwide Group were recently charged by the Federal Trade Commission in the US for three separate data breaches which, it is claimed by the FTC, resulted in $10.6m lost to fraud.

How Bookassist complies with PCI DSS

Bookassist takes compliance with PCI DSS seriously and we go to considerable effort and cost to achieve the standards of compliance. All hotel clients of the Bookassist system must sign up to the PCI DSS standards, all access to our system is logged and access to the system is password protected (and passwords need to be re-set every 90 days). CVC numbers are never logged on the Bookassist system and are not available to hotels in accordance with PCI DSS. Customer cardholder data can only be viewed for up to one month following the customer’s departure date. After that date, the information is automatically deleted from the Bookassist system and cannot be retrieved.

In addition to this, Bookassist have a dedicated Security Officer with responsibility for all PCI DSS compliance and security issues, a full incident response team and response plan in the event of any issues arising and staff on call 24/7/365. We have invested heavily in hardware and software to ensure security and monitoring and we have an annual external audit, part of which consists of hack attempts at our systems and monitoring how these attempts are dealt with automatically by our system.

At Bookassist we feel that the investment we have made in PCI DSS compliance is important for us - and for our hotel clients.

Dr Des O’Mahony is CEO and founder at Bookassist (bookassist.org), the award-winning technology and online strategy partner for hotels worldwide.

Labels: security, pci, bookassist

Share this post on:

  • Google+
  • Digg
  • Del.icio.us
  • LinkedIn

What if your Booking Engine was hacked?

By Editor | On Mon, November 18, 2013

Cybercrime - It could happen to you!

Cybercrime is a reality and no company is completely immune. But you can and must take steps to protect your hotel and your customers from a security breach. With the rise of online payments and the increasing technical ability of cyber criminals, your data needs to be much better protected or you risk destroying your business.

The highly-publicised recent data breach at Loyaltybuild, estimated to be the largest data breach in Europe within the last three years, emphasises the importance of taking action to ensure the protection of your business and your hotel brand against such a data breach.

Loyaltybuild operates reward schemes for companies across Europe, including well known brands in the Irish market such as SuperValu, Axa, StenaLine and Electric Ireland. In October 2013, personal and credit card data processed by Loyaltybuild on behalf of a number of companies was compromised and a number of investigations are ongoing into the matter by the Data Protection Commissioner in Ireland and the Garda Bureau of Fraud Investigation. Breaches of this nature have the potential to have major implications for all companies and brands to whom Loyaltybuild provided services.

Given the serious damage a data breach of your booking engine data could do to your business, we have compiled the following FAQ to help you put in place the best protection for your hotel.

1. I don’t need to worry because our booking engine provider processes bookings for us, so it’s their problem if there is a data breach, right?

Whilst a data breach would cause serious problems for your booking engine provider it would also have a huge negative impact on your hotel brand. Just as brands associated with Loyaltybuild are currently suffering from a crisis of customer confidence, you would be similarly affected through association with your booking engine provider. You need to protect your reputation by making sure that your most valuable asset - your customer - and their data is fully protected whether you or your suppliers are handling that data.

2. What can our hotel do to reduce the risk of a data breach of our booking engine?

First and foremost, you must ensure that the provider you work with is PCI DSS compliant. PCI DSS (Payment Card Industry Data Security Standard) compliance gives you the peace of mind that your suppliers know what they are doing and that your customers’ data is being stored securely by that third party in accordance with certified best practice.

3. What is PCI DSS?

The aim of PCI DSS (Payment Card Industry Data Security Standards) is to set standards that assist in the prevention of fraud. Being PCI DSS compliant does not mean that you won’t have a data breach but it does mean that in the event of a data breach arising, the credit card companies will support you. Working with PCI DSS compliant suppliers is like having an insurance policy that helps you when things go wrong.

4. How do I find out if my current booking engine provider is PCI DSS compliant?

Simply ask them for their PCI DSS statement of compliance.

5. My booking engine provider does not have a certificate of PCI DSS compliance so what effect would it have on my hotel if they experienced a data breach?

There would be serious implications for your provider as they would be offered little protection from the credit card companies for failing to comply to acceptable standards. Your hotel brand would experience significant damage as irate and unhappy customers, who had placed their trust in your brand express their anger. It is your responsibility to exercise due diligence to ensure that the partners you work with protect you and your customers.

There may also be implications for your costs in processing credit cards with the main providers, or hefty fines from them, that could compromise your ability to do business.

Conclusion

Your single most important asset is your customer. You need to ensure that your hotel and the third parties that you contract with protect your customer’s data to the highest level.

You can reduce the risk to your hotel by ensuring that your Booking Engine Provider provides you with evidence of PCI DSS compliance and adheres to the standards.

About Bookassist and PCI DSS

Bookassist, the World’s Leading Booking Engine Technology Provider, is certified PCI DSS compliant and was one of the first booking engine providers to adopt the standards. Bookassist has been compliant for over six years and continually invests in ensuring the highest standards of security. Bookassist can provide their certification on request, and we are listed on the certified Visa Merchant List https://www.visamerchantagentslist.com/

Labels: security, pci, data protection, booking engine

Share this post on:

  • Google+
  • Digg
  • Del.icio.us
  • LinkedIn

Post in "pci" category:

Latest blog posts



News and press



Tag cloud



bookassist - technology & online strategy for hotels

Address: 1st Floor South Block, Rockfield Central, Dublin D16 R6V0, Ireland
Phone: +353 1 676 2913 Fax: +353 1 676 2916
Email:
Web: http://bookassist.org/en