Two hospitality technology players are concerned that the industry is not applying sufficient urgency to its adoption of PCI DSS payment processing standards. They got together to voice their disquiet.

Nigel Allport of Agilysys and Andrew Brooks of Servebase see too many hotels and hospitality operators paying lip-service to the need to put PCI DSS at the heart of their business. By operating in a way that is not fully compliant, these operations put their valuable brand capital in jeopardy. It’s a risk no hospitality business can afford to take.

Nigel: I recently read that only 11% of retailers are fully PCI DSS compliant. I was struck by that and found myself wondering what the equivalent is in hospitality. We’re certainly not yet seeing any clear consensus about how the sector addresses compliance.

Andrew: I don’t have an equivalent statistic but I was at the HTNG event in Berlin recently and PCI DSS was one of the topics, as it was at HOSPACE. It’s clear that security breaches are widespread in hospitality and it’s an issue of great concern.

Nigel: The hospitality side of payment may not generate the same pain as retailers go through but it’s equally important and almost more dangerous as it’s less visible.

Andrew: I agree. Although the standards are the same, the risk in hospitality is fraud. Security breaches are pretty widespread, with hackers stealing card data to use elsewhere.

Nigel: Hospitality operators need to ask themselves “what does this mean to my business?” If news gets out that guest card data is not secure, people will simply take their business elsewhere. This can be very damaging to a hospitality brand.

Andrew: It’s important for hotel managers to get their directors or owners bought into PCI DSS compliance, but too often they see costs as an obstacle. It’s not just a case of buying the right technology. There are other costs such as training, which can be quite high in hospitality given staff turnover and the need for frequent password changes and policing of security processes. And then of course there’s the cost of employing a Quality Security Assessor (QSA) accredited by the PCI Security Standards Council.

Nigel: That’s true, but those costs need to be balanced out against the risk of a breach and the damage it can do to a hospitality business. If card data is taken and the situation snowballs, hotels will face fines and damage to their reputation; in short, a loss of brand capital.

Andrew: In Germany for instance, it’s obligatory to publish news of a security breach and the theft of card data. That’s not yet the case in the UK but, even so, compared to potential business damage and loss of revenue, the costs of PCI compliance are insignificant. We have got to change mindsets to get across the true cost and value of security.

Nigel: We find that many in hospitality see this as an IT problem not a business problem. I think that attitude needs changing. It’s a boardroom issue and we must get the concept across to the most senior people in any hospitality business, and win their buy-in.

Andrew: Absolutely. It’s a problem that the industry thinks of PCI DSS as an IT issue, because it’s affected by the general reluctance to invest in IT that still exists. At the risk of being controversial, a hotel group will spend £1million re-carpeting its properties but won’t spend £100K to keep its brand secure. We need to stress that this is a business issue, one that puts the brand capital that’s been created over years, if not generations, at risk if not protected. Nothing is more important than reputation, especially in the current climate where consumers are better informed and better equipped to make choices and assert their buying power.

Nigel: I am surprised there isn’t more of a sense of urgency. There are lessons to be learnt from the experience of larger players yet some in hospitality are still asking themselves the blunt questions – why do we need PCI DSS and what are the risks of us not adopting the standards?

Andrew: More education is definitely needed. At Servebase, we tend to focus on the practical side, on providing a payment gateway coupled with solutions from partners such as Agilysys to alleviate the pain in card handling. Customer retention is the key to any successful hospitality business and we stress that our secure payment solutions enhance the overall customer experience.

Nigel: Some businesses still don’t realise that – whether they conduct a few payment processes or millions of transactions every year – they need to be compliant. Even if their data is processed and stored manually, they need to follow standards. We must convince them they cannot afford not to be compliant.

Andrew: It’s quite a complex issue to tackle in hospitality. Retail has different channels, processing ‘customer present’ or ‘customer not present’ transactions, but the procedure is similar. In the case of a mid to large hotel, a myriad of systems accept card data. You have prepayment bookings, call centres taking bookings with card data, and something that’s unique to hospitality – accepting card data to guarantee a booking, where no charge is made unless there’s a no-show.

Nigel: There are certainly many touch areas for card data as we see with our Agilysys InfoGenesis™, a point-of-sale solution and Agilysys Visual One™, a property management solution. These touch areas all need to be secure, which is why we partner with a company such as Servebase.

Andrew: There’s another issue too. For those that adopt PCI DSS, it’s tempting to achieve the required level of security then mentally put it in cupboard. Compliance has to be an ongoing process. It needs to be one of the everyday things that need to happen in the business. Just as a hotel wouldn’t dream of not cleaning rooms each day, so it needs to ensure its PCI DSS processes are being followed.

Nigel: Yes, active daily management is critical. Secure payment processes need monitoring and logs maintained to make sure there are no breaches. A proactive approach is needed, everyday, because fraudsters are certainly not going to take a day off. They are constantly trying to get hold of valuable guest data.

Andrew: Once processes are in place, they need to be tested and recertified each year by an accredited QSA or via self-assessment, dependent upon the number of transactions taken. It’s not a case of “I’ve got the certificate so I can relax”. All it needs is for a member of staff to let someone unauthorised into an area that needs a security pass, or someone to send you an email containing card data, and you have a problem. However, if you can prove that you have followed the procedures agreed with your QSA, then you are protected if there is a breach.

Nigel: There is no silver bullet, but technology can make this a lot easier. EPoS and PMS suppliers such as ourselves need to ensure our software is always compliant and specialists such as Servebase take as much of the process out of the hands of the user by automating it securely.

Andrew: At the end of the day, it’s difficult to assess the true cost of PCI DSS compliance. It’s individual to the business. There are lots of variables and it’s complex. It all comes down to doing as much as you can to protect the business.

Nigel: The hospitality industry needs to have complete focus on the issue of security breaches and brand security. Not only do operators risk fines if there is a security lapse but, more importantly, they risk devaluing their brand by putting customers at risk and, ultimately, losing the ability to take card payments. We need to keep banging the drum that just six letters – PCI DSS – protect more than card data; they protect the brand capital of a hospitality business.

Agilysys (Europe) Limited provides specialised IT solutions to the hospitality sector, for hotels, restaurants, casinos, resorts, condominiums, cruise lines, sporting stadia, arenas, conference centres and tourist venues. Visit www.agilysyseurope.com

Servebase is a global, multi-channel payment processing provider, delivering secure card processing covering all payment environments, from single solutions to multi channel combinations of mail order, e-commerce and ‘customer present’ Chip and PIN. Visit www.servebase.com

The Facts

Does PCI DSS apply to me?

PCI DSS applies to you if you are involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically; it also covers manual processing and storage. Whether you conduct a few payment processes or millions of transactions every year, you need to operate in a compliant fashion.

What are the requirements?

• You must not use card and verification details for any purpose other than completing the card transaction.
• You must not pass card details onto anyone else, except for the purpose of helping them to complete the card transaction, ie. authorisation and/or settlement.
• You must not store the card security code (last three digits on signature strip
• You are only permitted to keep a separate record of the card number and expiry date if both of these conditions apply:
• You have the specific agreement of the card holder,
• You are only going to use this information to help with future transactions, such as recurring payments or new orders if further orders are likely.
• In short, you shouldn’t store card data if you don’t need to

The standards

It’s important to know the standards, as you may be storing cardholder information (such as receipts from terminals or emails that contain cardholder details) in a way that the standard does not allow. The standard is broken down into these sections:

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management programme
• Regularly monitor and test networks
• Maintain an information security policy

Redwood Shores, Calif. – Jan. 11, 2012

News Facts

• To help retailers increase operational efficiency, improve the customer experience and simplify the payment process across global markets, Oracle today announced a new release of Oracle Retail Point-of-Service.
• The latest version of Oracle Retail Point-of-Service provides retailers with greater international functionality and security by providing a common and open interface that can be localized for different markets, providing integration for multiple international payment partners, and using tokenization to further secure customer card data.
• The new release also delivers greater efficiency for store associates and simplifies deployments through expanded integrations with Oracle and third-party solutions.

Enabling Commerce Across Global Markets

• To simplify and consolidate payment authorization, one of the most complex and labor-intensive challenges for international retailers, Oracle Retail Point-of-Service now provides an Authorized Payment Foundation.
  • The Authorized Payment Foundation is a secure and flexible application programming interface that isolates the authorization process from the Point-of-Service and enables integration with payment processing solutions from industry leaders such as ACI Worldwide and Servebase.
  • Retailers that take advantage of the Authorized Payment Foundation will have a configurable, extensible and hot-pluggable localization foundation necessary to address the ever-changing requirements for payment authorization that supports payment devices and multiple gateway and switch providers around the world.

Using Biometrics to Improve Security

• Using integrated biometrics from a leading global provider of authentication and endpoint protection for access, data and communication, DigitalPersona, the latest release of Oracle Retail Point-of-Service simplifies and strengthens compliance with PCI security standards by allowing operators to login using their fingerprint.
• The biometrics features solve the operational challenge of PCI compliant passwords by replacing PINs or passwords with the touch of a fingerprint and eliminate the opportunity for an unauthorized employee to use a manager’s ID or swipe card to access the Point-of-Service or inappropriately approve an override.

 Speeding Transactions and Improving Store Operations

• Oracle Retail Point-of-Service now includes image-based quick reference screens that allow a cashier to quickly view pictures or icons to easily add an item to the transaction.  This eliminates the need for cashiers to consult a “Scan Book” to find item numbers, which can slow down the checkout process.
• To further improve checkout, the new release extends integration with Oracle Retail Price Management to improve the configurability of threshold-based promotions, such as, “buy two get one free” and “equal or lesser value” promotions.
• Oracle Retail Point-of-Service also now enables store managers to preview point-of-service reports at anytime, without sending the entire report to print.  It also delivers user interface improvements such as more visible status and transaction totals and highlights where input is needed from the store associate.
• ACI Worldwide, DigitalPersona and Servebase are Gold level members in Oracle PartnerNetwork (OPN).

Supporting Quote

• “Globalization is one of the primary sources of growth for retailers, and Oracle Retail Point-of-Service is focused on helping retailers quickly serve new markets while localizing offerings and providing a key component for cross-channel retailing,” said Mike Webster, senior vice president and general manager, Oracle Retail. “This release of Oracle Retail Stores demonstrates our ongoing commitment to lead the industry in meeting the needs of retailers now and in the future.”

Supporting Resources

• Join the Oracle Retail community on Facebook
• Insight-Driven Retailing Blog
• Oracle Retail International Blog
• Oracle Retail YouTube Channel
• Follow Oracle Retail on Twitter
• Oracle Retail in the News
• Oracle in Retail

 About Oracle Retail

Oracle provides retailers with a complete, open and integrated suite of business applications, server and storage solutions that are engineered to work together to optimize every aspect of their business. 20 of the top 20 retailers worldwide – including fashion, hardlines, grocery and specialty retailers – use Oracle solutions to drive performance, deliver critical insights and fuel growth across traditional, mobile and commerce channels.  For more information, visit our Web site at http://www.oracle.com/goto/retail

 About Oracle

Oracle engineers hardware and software to work together in the cloud and in your data center.  For more information about Oracle (NASDAQ:ORCL), visit www.oracle.com.

About Oracle in Industries

Oracle industry solutions leverage the company’s best-in-class portfolio of products to address complex business processes relevant to Retail, helping speed time to market, reduce costs, and gain a competitive edge.

Trademarks

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

 Contact Info

Servebase offers multi-channel card payment services globally, processing $15 billion worth of transactions per year, and is a leader in the hospitality sector. The company also offers added value services to clients such as assisting with PCI DSS compliance, card payment tracking, tokenisation and Dynamic Currency Conversion.

Foregenix is a leading digital forensics and security consulting firm and creator of the market-leading FScout cardholder data discovery software. FScout enables clients to find and remove “rogue” credit card data lying dormant in their systems, thus ensuring that companies are not inadvertently leaving their cardholder data unprotected.

Servebase will offer an initial trial of FScout Enterprise as part of its data security healthcheck service, delivering optimum cardholder data security for Servebase clients. The hospitality industry is a major target for cardholder data theft, and both Foregenix and Servebase hope that that this partnership will bring improved security and brand protection to the industry and peace of mind to consumers.

“The hospitality industry is always at risk from data theft. By partnering with Foregenix we can offer our customers an additional layer of security in order to protect their data and to ensure that they are fully PCI DSS compliant” said Ritz Steytler, CEO at Servebase. “The partnership will enable us to work together to build innovative solutions for merchants to address the challenges they face today, such as PCI, without them having to take costly and drastic measures by completely overhauling their infrastructure.”

Benj Hosack, director at Foregenix, added “Partnering with market leaders such as Servebase is key to FScout reaching many more of the organisations that are handling credit card data, and thus helping to reduce credit card data fraud. This partnership will offer a great deal to clients in the hospitality industry, and in turn, better security for the end-clients whose cardholder details are handled by Servebase every day.”

If you would like to pre-register for our forthcoming PCI education seminars or would like further information on FScout please contact us.

We’re not just talking about large corporations buying up smaller companies either, the year has been littered with deals that have turned heads beyond payments, making headlines across the business world.

Deals like Mastercard’s acquisition of DataCash have meant a real consolidation within the payments space, with fewer firms controlling more aspects of the entire payments chain. However, the real question is, what does this ultimately mean for the customer?

A concern of consolidation is that the marketplace becomes less competitive. Take ACI’s purchase of S1 for example. The two firms have been fighting for the same customers for a number of years. Did ACI buy S1 because their products were complementary, or did they want to take S1 out of the competition? Ultimately, the motivation for the acquisition will affect the customer. And when you’re talking about acquisitions on this scale, the firms don’t become one well-oiled machine overnight. There’s going to be a lot of teething issues that they’re going to have to go through which could have a knock-on effect on their customers.

When a merger promises to be all things to all men, customers have to ask whether this is viable. For instance, should Verifone be providing the hardware, the point of sale application and the payments service behind it – which they’ll be able to do with their acquisitions of both Global Bay and Point – all the way through to the bank? And in Mastercard and Visa’s case, you can add the issuing of the card to that chain.

The landscape that this will create is not yet fully known. However, similar situations in the past – for instance when the payments terminals industry became consolidated – created opportunities for niche service providers to get their offerings across. This is key. What the customer wants above all else is choice. Admittedly the simplicity of having one company deal with the entire solution will bring certain benefits, but if a customer feels that they’re not in control of all aspects of their solution then they may well look elsewhere.

We’re in a very interesting period within the payments industry – and not just for customers. Payments firms are having their relationships tested too, as they go from being partners to potential competitors, or vice versa. What customers have to do is decide whether these acquisitions are for their benefit, and make their choices accordingly.

The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive card information and because Servebase are a Payment Service Provider who process in excess of 6 million transactions per year, they must adhere to the most rigorous levels of compliance, level 1.

Salvatore Cicero, Chief Technical Officer, Servebase commented, “We always view our PCI-DSS Level 1 Audit as the minimum standard we must adhere to, but actually pride ourselves on going above and beyond the requirements. That coupled with the best practices we adhere to company-wide ensures our Technical team are able to create a project plan for our audit every year that they can work to and complete on time. My thanks go to everyone involved.”

Click here to view the Servebase 2012 PCI DSS certificate.

Today’s customers make much of their big purchase decisions at home before they even enter a store, comparing reviews and finding the best deals on websites and social networks. The rise of the smartphone is making a significant impact, allowing consumers to make comparisons while on the shop floor, perhaps even purchasing a product from one retailer while in the store of another.

And this is just the start. Customers expect to mix and match these channels in a way that suits them – maybe buying an item online and returning in store, or ordering over the web, while using loyalty points that they’ve earned through purchasing in a catalogue. Having the ability to transact with a customer in any channel is clearly becoming a critical capability.

The bigger picture is even more interesting. Now that customers are interacting with merchants using multiple channels, retailers and merchants are beginning to wonder what they can learn from this activity. Wouldn’t it be a nice idea if we could tie everything we know about our customer behaviour, and then use this information to enhance these relationships, provide better customer service and ultimately increase sales conversion rates?

My personal background is building retail systems – an area where, in the past, such unification has proved extremely difficult to achieve across multiple channels. Today, advances in modern technology are helping to break down the siloes, but there is clearly a lot of work left to be done to provide a seamless and consistent customer experience.

For me, the merchant’s Holy Grail is to be found in combining detailed insight into individual customer behaviour with personalised offerings, across all channels of interaction.

Understanding customer behaviour across channels is not a trivial exercise. Contrary to what your market researcher may tell you, the best way of understanding a customer’s behaviour is by tracking what customers actually bought, not what they said they would buy.

One great example is what Tesco and Dunnhumby have done extremely successfully with the Clubcard scheme – which allows Tesco to gather meaningful customer behavioural information by identifying a Clubcard user through their unique number and tracking every transaction they make. This information is then used extremely effectively to shape merchandising and offers to individual customers. Loyalty schemes like this, however, can be extremely complex and costly to set up, which is why few other retailers have implemented comparably sophisticated schemes of their own.

There is another potentially much simpler way of tracking a customer and generating insight into their behaviour, and that’s through their payment card number. Having a solution in place that can take card payments across all of the different channels already solves most of the problem. If that same solution provides a unified tokenisation strategy that allows the use of a customer’s details across channels in a PCI compliant way, then the picture becomes even more compelling.

I strongly believe in the future of multi-channel business, and at Servebase we will continue to invest heavily in developing our capabilities in this area. We can provide a tokenised solution that allows merchants to transact and track consumer spending across channels without compromising security. And with that you can begin to really understand behaviour and enhance the customer relationship. Perhaps the Holy Grail is not that far out of reach after all …

Ritz holds a Bachelor of Commerce degree in Computer Science from Stellenbosch University and an Executive MBA with Distinction from London Business School.

In March 2010 Salvatore was promoted to Chief Technical Officer with full responsibility for all technical areas of the business.

Prior to this James achieved the status of CIO where he oversaw the running of the Customer Services and Technology teams as well as instigating many exciting projects such as chip & PIN, 3D Secure and PCI-DSS compliance. After that, he became Strategic Development Director, responsible for investigating new industry initiatives and developments for inclusion in the future direction of the business.

Melissa has a broad range of strategic, IT and payments expertise, and is particularly strong in the areas of marketing and product management. Prior to joining Servebase, she was the Marketing Manager at STS, where she was instrumental to successfully launching an Electronic Funds Transfer (EFT) software application in Europe, and Product & Marketing Director at Mint Wireless, a specialised mobile payments company working with leading Enterprise Mobility businesses like Motorola on their mobile point of sale (POS) and payment strategies.