Compliance Issues in the Luxury Hotel
PCIIndustry
By Rob Johns & Joel Brand assessment totaled approximately $ 1.9 million , of which roughly $ 213 thousand was related to operational reimbursement . Fraud Recovery , the amount owed for the actual fraudulent charges made on the credit cards , was approximately $ 1.7 million .
• The assessments are more of a concern than any fine or penalty . Failure to pay assessments can result in an organization ’ s inability to process credit / debit card payments . It ’ s important to note PCI- DSS assessments are not automatic in the event of a breach . An assessment will be made if the PCI forensic investigator ’ s report after the breach establishes that :
›› Card data was compromised
››
A minimum number of cards were involved ( varies with each credit card brand )
››
The merchant was not PCI DSS compliant
››
There is heightened fraud on the affected cards
• How to mitigate losses ?
• Use the most up-to-date POS hardware and software . For example , the new EMV chip card is one way to protect your business and greatly reduce counterfeit payment card attempts . Issuers or merchants who do not have secure technology in place will now be held liable .
• Purchase a cyber liability policy . While most cyber liability policies provide broad coverage with respect to third party claims and certain first party damages , not every policy is equal when it comes to PCI coverage . Some carriers exclude coverage in the base form and add it back by endorsements . Others have the coverage built into the policy and there are those that are affirmative on the fines and penalties coverage , but exclude assessments . Although some carriers provide up to the full limit of liability , most still provide this coverage on a sublimited basis . It is imperative to have policy language that is explicit in its coverage for PCI fines , penalties and assessments at the maximum limit available because often times these assessments are passed on to the merchant by the acquiring bank by virtue of indemnity language in the Merchant Services Agreement . It is the responsibility of the merchant ’ s , i . e . the hotel ’ s , cyber policy to respond to these claims .
Cyber liability policies do not contain standard language and no two policies are identical as the insurance industry is constantly adapting to the ever changing threats of cyber crime . As hoteliers consider cyber exposures , it is good practice to review current insurance policies and check with their insurance brokers regarding gaps in coverage .
ILHA 57