Why Is the Hospitality Industry One of the Most Attacked?

Hotels tend to store card data in many different places, including central reservation systems, third-party partners, front desks, emails, card authorization forms, physical and virtual POS systems and Property Management Systems (PMS) and connected systems.

This creates many potential points of vulnerability where card data can be accessed or stolen.

Unfortunately, the hospitality industry has historically been slow to detect breaches. In many cases, hotels only become aware of an issue when customers report fraudulent transactions or when a payment processor alerts them to suspicious activity. Once a hacker gains access to a POS or PMS system, they can remain undetected for extended periods, days, months, or even years. uring this time, not only credit card data is at risk, but also sensitive personal information such as names, addresses, ID numbers, and passport details.

Stolen data is not only used for fraudulent purchases but is also sold on the dark web. A valid credit card with sensitive authentication data (SAD) can be worth over $50. Many hotels retain credit card data to improve customer service—but this practice significantly increases their risk exposure.

PCI DSS to Improve Security in the Hospitality Industry

Changing how credit card data is stored is the first step in defending against cybercriminals. Capturing and storing payment data only when absolutely necessary can immediately reduce the risk of data breaches. Establishing and maintaining a proper PCI DSS program within the IT department is essential, not only to demonstrate compliance to acquirers and payment brands, but also to strengthen internal security processes.

PCI DSS encourages organizations to evaluate whether current technologies and processes are appropriate and all stored data is truly necessary. The smaller the card data environment (when properly secured), the harder it becomes for attackers to target it.