Hotels team up to secure credit card data
30 September 2011
Major hotel groups from around the world have joined forces to develop an industry security framework for handling sensitive credit card data.
Organized as working group of not-profit trade association Hotel Technology Next Generation, hotels on board so far include Accor, Fairmont Raffles Hotels International, Hilton Worldwide and Hyatt Hotels Corporation.
The hotels are working to develop a single industry framework to increase security of credit card transactions for hotels, which are more difficult to secure than in other industries.
This is because during the hotel reservation process, sensitive data must often flow across systems controlled by several different companies - and must be stored for weeks or months, until the guest departs and the final bill has been settled.
Each company in the reservation process typically uses a different approach to securing sensitive credit card data. As a result, standard security approaches such as tokenization, which can provide excellent security when a single company controls the systems, cannot easily be used for transactions that move across systems controlled by multiple companies, as routinely occurs with hotels.
Tokenization is a process whereby sensitive card data is stored in a single secure location, which may be operated by a hotel brand, a payment gateway or another third party, and replaced in hotel systems by substitute “tokens.” The tokens can be used to complete the transaction, but are useless if intercepted electronically by a thief.
Tokenized (secure) card numbers typically cannot be deciphered by anyone other than the company that created them. This means that systems must transfer actual credit card data instead, exposing systems at both ends of each transfer to increased risk of hacking and theft.
“Every major hotel company is working to get as many of their systems as possible out of the scope of the Payment Card Industry Data Security Standards (PCI-DSS),” said Douglas Rice, CEO of HTNG. “Most of these companies have focused on solutions based on tokenization, and many have implemented them or are in the process of doing so.”
The companies hope the new initiative will leverage hotel companies’ prior investment in tokenization efforts, adding a layer of security that will enable those solutions to be extended to unrelated parties that may be involved in transactions, such as online travel agencies, global distribution systems, switches, channel management systems, central reservation systems, management companies, independent hotels, payment gateways, swipe devices, and other parties.
“The approach is intended to enable the tokenization of card data by the first system that touches the reservation,” added Rice. “The sensitive data will remain stored in a secure vault, and all of the other systems will simply pass along the token in place of the credit card. The hotel itself can then submit the token to its token provider or gateway to complete the card transaction. The card data itself need never touch a hotel system.”
The full list of participants is: Accor; Delaware North Companies; Fairmont Raffles Hotels International; Hilton Worldwide; Hyatt Hotels Corporation; InterContinental Hotels Group; Jumeirah Group; Kempinski Hotels; The Marcus Corporation; Mandarin Oriental Hotel Group; Marriott International; Maybourne Hotel Group; Meliá Hotels International; Omni Hotels; Starwood Hotels & Resorts Worldwide; and Taj Group of Hotels.
For more information, see http://www.htng.org/credit-card-security
