Why Cybersecurity is Key to Protecting Hotel Guests, Staff and Brand Reputation

People who have had fraudulent charges put on their cards won’t exactly have the best impression of your hotel, regardless of your property’s culpability. Hence, you need systems and protocols in place to prevent fraud from occurring as well as deal with any fallout that may crop up on third-party review sites.
By Larry and Adam Mogelonsky - 3.26.2021

As hoteliers, we are trained in service. The pandemic, though, has caused every hotel’s tech stack to expand in order to meet the need for a contactless guest service. This means that understanding technology is now a base requirement for any role in the organization.

While we can focus on data integrations, machine learning and smart analyses of guest profiles, one big issue with this great technological reset is cybersecurity – that is, the potential for data breaches or fraudulent activities by external persons or even by staff members.

This is a clear-cut matter of risk management in that a breach can besmirch a hotel brand’s reputation for many years to come. Or on a more micro-level, just imagine the damage if it was discovered (and made public) that, when using an electronic document platform for handling credit card payments, staff members were able to see a guest’s full credit card details while transferring them into the PMS and someone on your team was then illegally using that information.

As an analogous example to help demonstrate why data security is critical heading for operating in 2021, suppose that your hotel is confirmed as the site of a super-spreader event for COVID-19. Regardless of the legal ramifications, your name would all but forever be associated with this deadly virus, which would subtly or explicitly deter future guests from choosing you. If you look at some of the earliest outbreaks which occurred on cruise ships in Spring 2020, know that the parent corporations are still reeling from this negative media coverage. Much like protecting your guests or staff from exposure to Covid, so too must you do the same regarding data security.

But that’s what the IT director is here for, right? Yes and no. Your technology team is there to identify needs, maintain system integrities and remedy problems as they occur, but if the executive committee doesn’t have a firm grasp on some of the processes that enable these technologies to exist then there won’t be a viable strategic vision to guide these specialists. Cybersecurity, even down to the minutia of ensuring your own team never sees a full credit card, must be ingrained into upper management’s plans.

Because, when it comes to breaches, don’t say it won’t happen. It’s not an ‘if’ but a ‘when’. Indeed, there have already been a few successful cyberattacks that have resulted in major damages for leading hotel chains. Now, though, with our post-pandemic dependence on mobile apps and IoT-enabled devices for practically every significant point of interaction in the guest experience, the risk of a breach only becomes amplified as we continue to add to our tech stacks.

The end goal of a breach for a hacker, phisher or fraudster is money. They are looking for ways to cheat a property or individual from their possessions, or to impersonate someone as a means of unlawfully confiscating goods or cash. Certainly, the latest version of your PMS has layers of security to protect your guests’ identities housed within their data stores, but it still doesn’t hurt to reach out to them so that they can audit your systems and offer advice on mitigating any vulnerabilities.

Even better would be to hire an external consultant specializing in data security to perform a comprehensive audit of your entire tech stack. You never know what they may uncover. Particularly with so many new platforms and devices set up hastily during the early stages of Covid, perhaps there were some weaknesses that weren’t adequately addressed given the intense pressure we were all under to react on the spot.

Instead of a massive and systemic breach, however, the more common possibility comes from people falsifying credit card information. Although these may take place on a much smaller scale then, say, a man-in-a-middle attack where the hacker imitates a WiFi login portal then gains access and scrapes an entire guest database, they are still a nuisance to manage.

Foremost is mitigating the reputational damage. People who have had fraudulent charges put on their cards won’t exactly have the best impression of your hotel, regardless of your property’s culpability. Hence, you need systems and protocols in place to prevent fraud from occurring as well as deal with any fallout that may crop up on third-party review sites.

Next is chargebacks which are becoming all but unavoidable for what’s called ‘card not present’ transaction. For reference, these are in contrast to ‘Chip and PIN’ or ‘Chip and Signature’ transactions where there is some form of in-the-moment two factor authentication (2FA) to confirm that the person using the credit card is who they say they are. The problem with the chip-and-PIN or chip-and-signature methods is that they require some form of direct contact between the customer and an employee. At present, this isn’t contactless and comes with the risk of Covid spread. Hence, lodging merchant terminals (that’s us) are increasingly resorting to card-not-present payments where fraud and chargeback disputes are both significantly higher in likelihood.

Saar Fabrikant, President and CEO of b4

“The big step that hotels must take for handling card-not-present situations is the ‘tokenization’ of credit card data,” explained Saar Fabrikant, President and CEO of b4, a maker of secure payment solutions. “What this means that all sensitive information is encrypted for everyone except the payer. This ‘token’ is then passed through various hotel systems without an employee, or any person beyond the actual payer, ever able to see the full card details. This crucial and elegant step means that payments are instantly verified, increasing the chances of winning chargeback disputes.”

Coming out of the last economic crisis just over a decade ago, there was a big push for all senior executives to learn the basics of revenue management, so much so that nowadays RM, yield management and dynamic pricing are everyday aspects of the life of a hotelier. Today the same knowledge adoption has just happened for all matters related to viral safety through the understanding of such terms as disinfection, sanitization, social distancing, electrostatic sprayers, PPE, cleanliness theater, occupancy buffers and fomite transmission.

The next normal of 2021 will necessitate the same degree of comprehension for cybersecurity in order to protect guests, staff and the hotel organization from damages and to effectively guide any new technology deployments. Take some time to mandate some instruction in this field so that every associate or manager knows what’s at stake.

Larry and Adam Mogelonsky represent one of the world’s most published writing teams in hospitality, with over a decade’s worth of material online. As the partners of Hotel Mogel Consulting Limited, a Toronto-based consulting practice, Larry focuses on asset management, sales and operations while Adam specializes in hotel technology and marketing. Their experience encompasses properties around the world, both branded and independent, and ranging from luxury and boutique to select-service. Their work includes six books “Are You an Ostrich or a Llama?” (2012), “Llamas Rule” (2013), “Hotel Llama” (2015), “The Llama is Inn” (2017), “The Hotel Mogel” (2018) and “More Hotel Mogel” (2020). You can reach Larry at [email protected] or Adam at [email protected] to discuss hotel business challenges or to book speaking engagements.

This article may not be reproduced without the expressed permission of the authors.

Are you an industry thought leader with a point of view on hotel technology that you would like to share with our readers? If so, we invite you to review our editorial guidelines and submit your article for publishing consideration.