Card Data's Prolonged Stay in Hotel Systems Creates Fraud Challenge

Like the long shutter times required for old photographs, a payment transaction at a hotel can remain exposed for a while, creating a distinct fraud risk that's not often found at other merchants.

"It's based on the way they hold data," said Tony Ashe, managing director of NXSystems, a security technology company, explaining that cards are used to check in, then accumulate other charges during the course of a stay. NXSystems is advocating tokenization and increased automation of data handling as a strategy to combat the fraud that results from this practice.

"And a lot of hotels are booked online or over the phone with a card number. It's a risky play to give that data over the phone or keystroke it in," Ashe said. "And that data is being held onto for a long time, and many hotels aren't PCI compliant."

Many of the major data breaches reported over the past couple of years involved hotels and hotel chains. The Trump Hotel Collection in October disclosed a breach that may have affected consumer debit and credit card data for more than a year, and Trump's hotels are hardly alone.

Hilton earlier this year disclosed a breach that exposed card accounts for several months in the spring and early summer. The Mandarin Oriental chain also reported a breach this year. And White Lodging, an outsourcer that manages hotels for Holiday Inn, Marriott and Sheraton, reported a major breach in 2014.

Hotels are an appealing target for fraudsters because of the size of the market—the industry is very large, expecting to generate nearly $600 billion in revenue in 2016. And hotel transactions create windows for fraud. For example, attackers can employ WiFi hacking techniques, as well as exploit older guest management practices.

"There's a paper trail, and often a hotel location will have a clipboard of paper with credit card information that's sitting on a manager's desk," Ashe said, adding these clipboards are sometimes used to authorize charges for corporate guests. "There are many points of vulnerability for card information, with relatively low-wage employees handling information, along with cyberattacks."

The travel industry overall suffers higher chargeback rates than many other sectors, earning it a high-risk designation, said Rick Oglesby, a senior analyst and consultant for Double Diamond Group.  

"In addition to breach risk, travel firms often engage in transactions that are paid in advance of service delivery, which increases the risk of fraud, disputes and chargebacks," Oglesby said.

On the back end, hotels rely heavily on card-on-file transactions, which are charged to cards that are not present at the point of purchase, Oglesby said. "There is also a high concentration of cross-border payments and intermediated payments, all of which elevate the risk profile of the merchant."

Antiquated systems create added vulnerability. Writing in PaymentsSource  in March, David Bozin, former vice president of growth development at point of sale technology company Bindo, explained that there's a weak point at hotels after the card is swiped through old hardware at hospitality management platforms and before it gets to the payment gateway. It's  easy for someone to figure out how to pull credit card information from that gap, he said. Bozin (who left Bindo in November) suggested encrypting card data much earlier in the transaction at a hotel, and that's where tokenization may come in.

Tokenization replaces card account numbers with a false equivalent that can't be used to create a counterfeit card. While that wouldn't address the "clipboard" problem, automating  bookkeeping and adding tokenization through a bundled product that can access corporate card accounts would provide a greater shield for card data, Ashe said.

Hotels and other travel sectors will continue to be a relatively high risk category regardless of the EMV migration and despite tokenization efforts, Oglesby said.

"But EMV and tokenization will be a key part of a solution that combines global acceptance, payment facilitation, card-on-file management, encryption, tokenization and other features," Oglesby said. "It's also a clear example of how payment solutions are becoming increasingly vertical-centric and why a payment terminal on a desk really doesn't cut it anymore."