It has become a typical pattern – an industry suffers a rash of data breaches (mostly from self-inflicted wounds), companies are named and shamed, security capabilities broadly improve, and criminals move on. The newest victim is the hotel industry as witnessed by the latest revelations from Hard Rock and Omni. If history is any guide, this is an industry that may not be so quick to move on to improving their collective security posture to the detriment of financial institutions (FIs), issuers, and travelers alike.
What’s news here is not that this is surprising, but quite the opposite. This is an industry that has been slow to convert to EMV. Who needs a fraud liability shift when what you sell can’t be fenced by fraudsters on eBay? While that refrain and the logic behind it may have seemed sound at first glance, it was actually flawed because it failed to consider the data security implications. And if the cost or complexity of upgrading to EMV was too much for hotels, you can forget about encryption altogether.
This is also not a major surprise as this is an industry where security has always been aimed at the lowest common denominator and more focused on the appearance of, rather than actual security. Hotel staff has unfettered access to your personal items (what really fits in that room safe?), electronic locks on hotel room doors should be safer than traditional keyed locks but have long since proven vulnerable to break-ins, and even reward points programs don’t get the type of authentication they should (rewards account compromise and fraud has become a very real problem).
So what does all this mean for FIs, issuers, and travelers? Payment and customer data will continue to be compromised as hotels remain an attractive breach target. So CPP analysis on the part of FIs and issuers should begin to favor hotel transactions. And travelers should take advantage of account alerts on the cards used to pay for incidentals because options for alternate means of payment in this industry are negligible (cash up front, anyone?). For more information on managing the fraud impact of breaches, see Javelin’s latest report.
Past behavior is a logical indicator of future actions. Those king beds may be comfy, but the folks tasked with providing a pleasant stay during vacations with our families or when traveling for businesses have demonstrated past security behavior that is anything but encouraging.