Despite the magic conjured by the wizards of Hospitality Franchise Law, the responsibility for PCI and Data Privacy at a hotel falls upon the Franchisor and the Franchisee equally. The line between the parties is not as cut and dry as Consumers are led to believe by the Corporate Brands.
Visa published a bulletin in 2008 linking the Compliance activities of the Franchisee and Franchisor when it comes to data security but the industry seems to be working hard to tap dance around the guidance.
We interpret the Visa bulletin to require franchisors to do the following for the franchisee:
1) Adopt Secure Payment Applications
2) Enforce Network Security
3) Secure Remote Management Applications
4) Amend Franchise Contractual Agreements
5) Expand Franchise Communications and Training
It is laughable to us that a Brand will spend millions of dollars a year to audit a properties adherence to brand standards such as the color of the drapes, the size of the beds, what shampoo is offered, or the consistency of the signage but when it comes to Data Security Controls intended to protect consumers the Brands respond “it’s not our responsibility” The auditing and policing of Data Security and Privacy Standards MUST be the responsibility of the Brand and must be done with the same fervor as brand standard audits.
Hotel owners rarely have the controls in place to allow them to attest to being PCI Compliant. Most do not have any idea what the PCI Data Security Standards are and this adds to the risks. Sadly, hotel franchisors have deemed it more appropriate to disavow themselves of any responsibility or culpability for fear a data breach at a hotel would call their own systems into question.
Craig Leitch, Vice President of Operations at America’s Best Value Inn's parent company, says that PCI compliance for reservations and bookings transactions handled by the corporate headquarters website and call center is taken care of by Sabre Hospitality, a leading Central Reservations Systems provider.
But Leitch says America’s Best Value Inn isn’t responsible for the PCI compliance of the individual locations in the chain.
Mr. Leitch goes on to say “Because each of the 1,000-plus individual properties operating under one of our brands is independently owned and operated,” Leitch said in an e-mail statement delivered by a company representative, “each individual property is responsible for its own PCI compliance.” .- ConsumerReports.org April 9, 2014
Clearly a disconnect exits between Visa’s guidance and the opinion proffered by Mr. Leitch and his industry peers.
We believe when the computer systems of a hotel connect to corporate systems that process, store or transmit cardholder data, both entities share the responsibility for PCI Compliance. We are consulting with a number of PCI assessment firms and will report their expert opinions. We also think Visa has been very clear on this subject and requires the Franchisor to actively participate with the Franchisee.
Food for thought……Let’s consider one of the more recent and significant data breaches in the hotel industry. The corporate data center was compromised allowing a significant number of credit cards to be exploited. The interesting fact is the initial intrusion took place at a Franchised Property, which provided the gateway into the corporate systems.
Posted in: Hospitality