The hospitality industry is a particularly high-yielding target for cybercriminals. As an industry that deals mainly in credit card transactions, many cybercriminals target hotels and restaurants in order to obtain credit card information in order to commit fraud. However, the threat also extends to personal information which is used in identity theft. As such, not only is the hospitality industry vulnerable to cybercrime but so too are their customers. Fortunately, the Protection of Personal Information (PoPI) Act is designed to protect a consumer’s personal information. The question to ask is: has the hospitality industry geared themselves for the implementation of PoPI and are they collecting, processing, storing, sharing and protecting their customer information responsibly?
Theft of personal and payment information is something cybercriminals do over breakfast and while some operate solo, most attackers are part of organised global crime syndicates. It would not be an exaggeration to say that for the global economy, cybercrime is one of the greatest threats in our lifetime. Yet, it would be surprising for many to learn that almost all credit card data breaches that have made headlines over the past few years were completely avoidable. Hotels, restaurants and other hospitality providers (like spas, salons, tour groups) handle large volumes of credit cards, however, this is not the only data that would appeal to cybercriminals.
The hospitality industry also deals heavily in personal information, which can easily be used to steal a guest’s identity. It is this handling of personal information that puts the hospitality industry squarely in the impact zone for when the Protection of Personal Information Act (PoPI) lands later next year. So, what is the hospitality industry doing to protect its guests’ personal information? Currently, not enough. Existing standing operational procedures in many hospitality establishments are outdated and will need to be relooked and matched to business requirements – preferably before PoPI comes into effect in South Africa. Let’s take a look at what the industry is up against and how they should be working harder to protect their guests’ sensitive data.
The risk is bigger than the industry thinks
Technology has made it easier for businesses to manage information on guests, vendors, and employees. Due to the fact that businesses use computer systems, they are all to some extent susceptible to security breaches. However, hotels are even more vulnerable, because they collect masses of private data from customers in their daily operations through credit card transactions, online reservation engines and rewards programs. While technology helps businesses to operate more effectively, it also increases their risk for data privacy and security breaches, as well their liability to affected guests. Unfortunately, many hospitality operators have not upgraded their risk management plans to address the intrinsic possibilities for exposure that come with today’s sophisticated data management technology.
In the South African hospitality industry, standing operational procedures for dealing with guest personal and payment information are often outdated (for example: photocopies of ID documents and credit cards) as most hotel operators think that non-payment and not honouring one’s booking is their biggest risk. This has always been the justification for retaining credit card and personal information, deeming it essential to guarantee payment. When PoPI is finally promulgated, hospitality businesses will be compelled to change the way they collect, store and use personal and payment information in order to be compliant with the Act’s requirements.
No need to reinvent the wheel
Fortunately. the hospitality industry will not have to start from scratch when it comes to addressing issues of data security. While the task of PoPI compliance might seem daunting, we already know what works for protecting data, and what doesn’t. Protecting personal (and payment) information requires strong security protection principles that encompass people, process and technology to be in place to ensure that they all work together in an environment that prioritises data security. Achieving this isn’t as difficult as it might seem, then again each hotel or hospitality is unique and will have its own quirks and challenges that need to be addressed. An excellent starting point for data security for the hospitality industry is the Payment Card Industry Data Security Standard (PCI DSS). A proprietary information security standard for organisations that handle credit cards, it specifies twelve requirements for compliance, all of which are aimed at controlling and protecting data, people and processes to ensure card security within the environment.
These principles can be applied to personal information, as a departure point for PoPI compliance, as this standard is clear in its instructions and requirements. In so doing, the hospitality provider will need to question their current processes, thus considering their business requirements. They will need to identify and classify exactly what personal/payment information they need to operate, and safety discard of everything else. Next, hospitality operators will need to formulate a clear understanding of acceptable risks to update their operational procedures and align them to both business performance and data security objectives. Bearing in mind that PoPI is meant to promote accountability and transparency, hospitality organisations will need to have secure yet, auditable technologies and procedures in place to protect sensitive data.
In closing, it’s important to remember that while meeting legal and industry requirements is essential, compliance does not necessarily achieve real cybersecurity. Here, it is advisable to engage with a professional that can assist with the customisation of a security strategy, based on the exact organisational requirements in order to achieve the goals set out in both PoPI and the PCI DSS. It is this expertise at laying the secure foundation, combined with a culture of accountability at every level across each organisation, that will help the hospitality industry transform itself from being the most likely target for data theft to becoming the model for data security.