It has become a typical pattern – an industry suffers a rash of data breaches (mostly from self-inflicted wounds), companies are named and shamed, security capabilities broadly improve, and criminals move on.  The newest victim is the hotel industry as witnessed by the latest revelations from Hard Rock and Omni.  If history is any guide, this is an industry that may not be so quick to move on to improving their collective security posture to the detriment of financial institutions (FIs), issuers, and travelers alike.

What’s news here is not that this is surprising, but quite the opposite.  This is an industry that has been slow to convert to EMV.  Who needs a fraud liability shift when what you sell can’t be fenced by fraudsters on eBay?  While that refrain and the logic behind it may have seemed sound at first glance, it was actually flawed because it failed to consider the data security implications.  And if the cost or complexity of upgrading to EMV was too much for hotels, you can forget about encryption altogether.

This is also not a major surprise as this is an industry where security has always been aimed at the lowest common denominator and more focused on the appearance of, rather than actual security.  Hotel staff has unfettered access to your personal items (what really fits in that room safe?), electronic locks on hotel room doors should be safer than traditional keyed locks but have long since proven vulnerable to break-ins, and even reward points programs don’t get the type of authentication they should (rewards account compromise and fraud has become a very real problem).

So what does all this mean for FIs, issuers, and travelers?  Payment and customer data will continue to be compromised as hotels remain an attractive breach target.  So CPP analysis on the part of FIs and issuers should begin to favor hotel transactions.  And travelers should take advantage of account alerts on the cards used to pay for incidentals because options for alternate means of payment in this industry are negligible (cash up front, anyone?).  For more information on managing the fraud impact of breaches, see Javelin’s latest report

Past behavior is a logical indicator of future actions.  Those king beds may be comfy, but the folks tasked with providing a pleasant stay during vacations with our families or when traveling for businesses have demonstrated past security behavior that is anything but encouraging.


About Al Pascual

An accomplished industry analyst, market researcher, and financial industry practitioner, Al Pascual is Javelin’s Senior VP of Research and Head of Fraud & Security. As SVP of Research, he oversees the firm’s operations and ensures that Javelin’s research content provides the innovative perspectives that clients expect from the firm.

As Head of Fraud & Security, Al provides clients actionable insights on a variety of fraud and security issues, acts as a partner in developing strategies for managing risk, and identifies and raises awareness of future threats and solutions. Al researches a range of topics, including the applicability of biometrics in banking and payments, the effect of data breaches on the integrity of consumer identities, the relationship between identity fraud and loyalty, and the best methods for securing data and transactions.

Al has presented findings from Javelin’s rigorous, industry-leading research at conferences around the world, including BAI, CARTES, Money20/20, NACHA, and RSA. Al has provided commentary on fraud and security issues to media outlets such as American Banker, Bloomberg, CNNMoney, Fox Business, Reuters, The New York Times, The Wall Street Journal, The Washington Post, and Wired.

Previously Al held risk management roles at HSBC, Goldman Sachs, and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators, and the Federal Reserve Secure Payments Task Force. He earned a Bachelor of Arts degree in History from the University of South Florida.

Stay in Touch!