In this weeks post we continue our discussion on the lack of compliance transparency and the enforcement of the PCI Data Security Standards. In order to gain additional data and further support our position we spoke to owners / operators of 300 franchised hotels. Our goal was to understand how the merchant interprets their responsibility under PCI and their perspective on the Standards. We also followed up with some basic security questions to garner some additional perspective. What we learned is interesting and worth sharing.
Part 1 of the Survey
Do you know what PCI Compliance is and do you consider yourself compliant?
100 Hotels said they have no idea what PCI or Payment Card Industry was and have never been asked about it.
112 Hotels stated the Franchisor was compliant and therefore they had no obligation to become compliant individually.
57 Hotels learned of PCI Compliance through sales calls from companies offering to help them become compliant and wanting to scan their infrastructure.
31 Hotels were familiar with PCI Compliance and aware of their obligation from a trade organization or association but will take no action.
Of the 31 hotels with knowledge of PCI Compliance none intended on working towards compliance because they were not aware of the benefit or the penalty.
Questions about the Hotel’s Infrastructure and Processes
What operating system do you use at the front desk terminals?
102 Hotels answered they use Windows XP at the front desk.
-When probed about the recent news about Microsoft most responded they are not interested in upgrading any time soon.
250 Hotels do not have any inactivity / timeout screen configured in the OS.
50 Hotels do have the inactivity screen configured but share a password for access.
Property Management System
197 Hotels have only one set of credentials for the Property Management System.
These credentials are shared among 2 or more hotel owners / employees
If a guest(s) claims their credit cards were stolen or misused as a result of their stay do you have a procedure to cure the issue and mitigate the loss?
300 Hotels responded that they do not have a formal process in place and would handle the event depending on the individual circumstances.
We will publish Part 2 in our next blog entry!
Posted in: Hospitality