Luxury Hoteliers Magazine 4th Quarter 2016 | Page 56

Luxury and boutique hotels are tempting targets for identity thieves . Globally recognized hotel groups Hilton , Starwood , Trump , Omni , as well as hotel management companies such as White Lodging Services have all been victims of cyber crime . While each of these breaches is unique , a common factor is where the breach occurred – the POS ( point of sale ) terminal .
Fragmented POS terminals combined with public wireless networks , online and call center access-points , and employees with access to guest information all represent heightened exposures . Smaller , independent organizations may be challenged to allocate resources to network security . Larger franchise operations may face the risk of interconnectivity . If franchisees and the franchisor share a single hospitality management system , one breach can result in significant , lasting reputational damage . Similarly , using third party service providers may be cost effective , but this does not fully transfer the risk .
The costs involved in these breaches vary depending on the size and scope . Tens of thousands of dollars can be spent on : incident investigation ; incident correction ; customer notification of compromised information ; public relations and crisis management ; Payment Card Industry Data Security Standards ( PCI-DSS ) fines , penalties , and assessments .
After a breach involving credit / debit card data , a company will face PCI- DSS fines , penalties and assessments , particularly if found non-compliant with PCI-DSS . PCI-DSS are a set of industry rules developed by the PCI Security Standards Council ( composed of Visa , MasterCard , American Express , Discover , and JCB ). These rules require an organization to maintain a secure environment if it accepts / processes , transmits , or stores any cardholder data . Compliance is required regardless of size or number of transactions . Even if a third party is used to process payments , this does not exempt an organization from compliance . The PCI-DSS guidelines indicate that merchants and service providers must manage and monitor the PCI-DSS compliance of all associated third party servicers with access to cardholder data .
• Who imposes fines and penalties ?
• Credit card companies and issuing banks ( not the PCI- DSS ) penalize merchants and their acquiring banks . Fines and penalties can range from $ 5,000 to $ 100,000 and may recur every month based on the level of noncompliance .
• What is the difference between fines , penalties & assessments ?
• Assessments generally consist of Operating Expense Recovery and Fraud Recovery . Operating Expense Recovery tends to be the smaller of the two assessments . It consists of costs to reissue credit / debit cards and any investigative costs to determine the extent of the breach . In the case of P . F . Chang ’ s China Bistro , Inc ., the MasterCard
56 ILHA