A global trade association serving the hospitality industry and their technology providers has released a framework of best practices and standards that seeks to reduce the risk that payment card data poses to hotels.
The Hotel Technology Next Generation (HTNG) group last week unveiled the Secure Payments Framework for Hospitality (PDF), designed to enhance payment card security and compliance across an industry that has been hard hit by hackers. Specifically, the framework provides guidance on implementing tokenization, a technology that substitutes card data with unique identifying symbols.
"The result allows hotels to complete the process of removing all payment card data from all of their systems, dramatically reducing the cost of PCI (Payment Card Industry) compliance," according to the framework's executive summary. "Because hotels have no obligation or reason to tell customers if a breach of useless data occurs, the cost and impact of remediation, and the effect on brand reputation, are minimized."
Aside from reducing the PCI scope, the framework also provides details for implementing additional emerging technologies to address security deficiencies.
"Opportunities include extending...vaulting services; providing new services to securely handle and route payment card data to and from external parties and systems (e.g. online travel agencies, central reservation systems, meeting planners); and developing secure standalone devices to allow hotels to safely view the actual payment card data associated with a token, when needed," the document said.
Adversaries have heavily targeted the hospitality industry in recent years. The HTNG and security researchers previously interviewed by SCMagazine.com said hotels are a particularly tasty target because properties often must store payment for a long period of time once reservations are made, and their networks often are susceptible to varying vulnerabilities, such as the use of default passwords or the failure to patch systems.
In addition, according to HTNG, guests' credit card numbers typically are shared with a number of third parties during the booking process. As well, many hotels are independently owned and operated, and these franchisees often lack the technical resources to ensure security and compliance.