The PCI Veil of Secrecy Has Been Lifted...A Little | By Dave Bleser ISHC

At the recent Information Protection and Privacy Conference including PCI Conference that I recently hosted at the 2011 Hospitality Law Conference Bob Russo, General Manager for the PCI Security Standards Council lifted the veil of “secrecy” surrounding PCI a little bit. He acknowledged two things that I think the hotel industry should take notice of. One, he agreed “chip and pin” was effective for person to person transactions. If that is how the PCI Standards Council feels then why has the U.S not yet adopted this requirement like so many other nations? Why has the council not publicly pushed for its adoption?

Mr. Russo also agreed that it is purely arbitrary as to how the fines are determined and administered when there is a breach. These two admissions by Mr. Russo help to confirm the perception that exists in our industry… the PCI Standards Council was initially created to protect credit card numbers from being obtained fraudulently but now they see it as a significant source of revenue.

Did you know there are no published guidelines/declarations for how far back the PCI Council can audit a business when there is a breach? What happens if during their audit they find an area that is susceptible for a breach that is totally unrelated to the cause of the current breach? Can they fine the business for that as well? How much is the fine?

There is not one person from a company other than the credit card companies that sits on the Executive Committee or Management Committee for PCI? Essentially the fox is guarding the hen house.

According to their very own website, the PCI Council “is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS),” Think about it for a moment. The training they offer is not industry specific. They refuse to disclose how the breaches occur and what steps the hotel industry should take to prevent similar breaches from occurring. That information would be educational to our industry and they wouldn’t have to identify the hotel. How can we as industry protect ourselves from breaches when we don’t know how they are happening?

They also want to raise the awareness of the standards and penalties. For the past two years the organizers of the Hospitality Law Conference have invited representatives from the credit card companies to come hear the industry’s concerns. They have refused. Why? If they truly want to be our “partners” then they should be willing to sit down in a public forum and address our concerns. This would go a long way in raising the awareness and educating the industry as a whole.

Then there is the issue with chargebacks. The information needed to be kept by the hotels in order to win the chargeback violates the new privacy laws recently enacted by several states. So how is the industry supposed to protect themselves from this expense?

I agree that protecting sensitive guest information is good business. There are policies and procedures that hotels can implement in order to reduce their exposure to this type of loss. But with dollars limited we need to know where best to spend those dollars. The unwillingness of the members of the council to have an honest discussion with the industry and their unwillingness to have clear and defined standards for the issuing of fines, can only lead one to conclude that the members of the council view the PCI standards more as a revenue generator than being a good business partner.

The International Society of Hospitality Consultants, ISHC, is a professional society of 200 members in 22 countries who are leading consultants in the hospitality industry. The Society is dedicated to promoting the highest quality of professional consulting standards and practices for the hospitality industry. Membership is by invitation only. ISHC as an organization represents a one of a kind collection of experience and expertise in the hospitality industry. ISHC members have expertise in over 30 different specialty areas in the hospitality industry and collectively have experience with over 50 hotel companies and nearly 100 brands worldwide. Additionally, ISHC members represent numerous prominent independent hotels throughout the world. ISHC members' clients include domestic and international, public and private hotel owners and investors, many leading financial institutions, Fortune 500 companies, food and beverage service firms, airlines, cruise lines, time share and vacation ownership companies, universities, state, national and international convention, hospitality travel and tourism bureaus. www.ishc.com.