TECHNOLOGY : SECURITY
all data internally , and have considerable infrastructure and resources devoted to this end . Smaller companies frequently outsource , which can be both cost-effective and less frustrating , but may or may not add a layer of deniability for merchants in the event of a processor dispute . At Stout Street , Parker uses popular vendor TrustWave for security , acknowledging the help as an absolute necessity .
“ It ’ s impossible for a small organization — and even for some large organizations — to do everything we need to do without some level of thirdparty operations ,” Parker says . “ If I get audited , and something happened to one of our firewalls , TrustWave would have to answer to that , not Jeff Parker .”
Mattsson echoes the need for smaller companies to often outsource , but warns that some vendors might not offer the liability assurance clients mistakenly believe they are enjoying . Depending on the contract with the vendor , he says a hotel company could still be responsible for a breach . It also becomes more expensive and difficult to conduct a forensic audit after a breach when a third-party is involved . Thus , costly as it may be , an in-house security system may be the best strategy , Mattsson says , especially with the lower price tag now associated with tokenization .
Success story Although companies are generally secretive about their security systems , and many of the hotel chains contacted for this story declined to comment , sources confirm that the large chains are all mostly going the internal route , and are reportedly having success with their efforts .
Having suffered the Radisson breach in 2008-09 , representatives from parent company Carlson Hotels say the organization has since become a model for large-scale data security implementation . Kathy Orner , Carlson ’ s vice president , enterprise services , and chief information security officer , notes Carlson has received external validation on PCI-DSS compliance annually
“ NOT ONLY DO WE SELF-REPORT , BUT WE COLLECT DIGITAL ARTIFACTS , so evidential support shows that we are accomplishing our goals . We embed PCI requirements into our security programs , so if we are following our own policies , we are PCIcompliant .” – Kathy Orner , Carlson
since 2009 , and Carlson was the first hotel company to do so .
“ We have a very mature security program ; we measure compliance as part of our operational processes ,” Orner says . “ Not only do we self-report , but we collect digital artifacts , so evidential support shows that we are accomplishing our goals . We embed PCI requirements into our security programs , so if we are following our own policies , we are PCI-compliant .”
Carlson trains and certifies employees as security professionals in multiple regions , and also hires external Qualified Security Assessors ( QSA ) from certified and insured contractors . Orner says Carlson has paired technology with training , educating staff on the importance of data security . The company also conducts a mandatory global PCI and information security training module for staff in each brand , each year .
“ While many of the security protocols are technology-related , success really depends on people and creating a culture ,” Orner says . “ We are always looking at ways to make training more engaging and relevant , with real-life examples .”
Parker also stresses education — particularly the need for basic data security at the property level , where criminals can often easily access systems due to lack of simple protocols . Any time a credit card changes hands , or a password is typed to access a network , that business is exposed to potential data theft .
“ I ’ ve walked into hotels where literally the night auditors tape the password to the credit card processing solution on the screen of the computer ,” Parker says . “ Any bar that takes your credit card for a tab is not compliant , and you can argue when a waitress takes your credit card to settle your restaurant bill , and takes it back somewhere and comes back with it , that ’ s not compliant either . PCI has got to figure out a way to be both secure for the client and make it so we can run our businesses at the same time .”
In addition to more conventional methods like encryption and new sibling tokenization , Parker says other methods of processing customer data may include various contactless payment solutions , sealed credit card terminals and even third-party guest bookings conducted via popular e-pay site PayPal . But for now , he underscores the importance of starting with simple security fundamentals .
“ People can handle some of the simple stuff early and then work on the more difficult things as they can ,” Parker says . “ Put in a firewall , change all your default passwords and make everybody log in with separate logins . Start there — that is going to solve 94 % of your problems — and then work your way up the list .”
60 HOTELS March 2012 www . hotelsmag . com