News for the Hospitality Executive |
|
By Dave
Bleser
Mr. Russo also agreed that it is purely
arbitrary as to how
the fines are determined and administered when there is a breach. These two admissions by Mr. Russo help to
confirm
the perception that exists in our industry… the PCI Standards Council
was initially
created to protect credit card numbers from being obtained fraudulently
but now
they see it as a significant source of revenue.
Did you know there are no published
guidelines/declarations
for how far back the PCI Council can audit a business when there is a
breach? What happens if during their
audit they find an area that is susceptible for a breach that is
totally
unrelated to the cause of the current breach?
Can they fine the business for that as well?
How much is the fine? There is not one person from a company other
than the credit
card companies that sits on the Executive Committee or Management
Committee for
PCI? Essentially the fox is guarding the
hen house. According to their very own website, the PCI
Council “is
responsible for the development, management, education, and awareness
of the
PCI Security Standards, including the Data Security Standard (PCI DSS),”
Think
about it for a moment. The training they offer is not industry
specific. They
refuse to disclose how the breaches occur and what steps the hotel
industry
should take to prevent similar breaches from occurring.
That information would be educational to our
industry and they wouldn’t have to identify the hotel.
How can we as industry protect ourselves from
breaches when we don’t know how they are happening?
They also want to raise the awareness of the
standards and
penalties. For the past two years the
organizers of the Hospitality Law Conference have invited
representatives from
the credit card companies to come hear the industry’s concerns. They have refused. Why?
If they truly want to be our “partners” then they should
be willing to
sit down in a public forum and address our concerns.
This would go a long way in raising the
awareness and educating the industry as a whole. Then there is the issue with chargebacks. The information needed to be kept by the
hotels in order to win the chargeback violates the new privacy laws
recently
enacted by several states. So how is the
industry supposed to protect themselves from this expense? About the Author: David M. Bleser, President of Bleser & Associates, LLC. provides comprehensive, customized programs for the hospitality industry that are designed to help his clients achieve maximum asset valuation. A United States Marine Veteran of Operation Desert Shield and Desert Storm, he graduated from the University of South Carolina with a bachelor’s degree in Hotel, Restaurant & Tourism Administration. As a nationally recognized authority on fraud within the hospitality industry, he conducts numerous fraud / identity theft presentations throughout the country each year. His extensive knowledge on operational policies and procedures has led him to write numerous articles regarding internal fraud for several hospitality publications. He is a member of the prestigious, invitation only, International Society of Hospitality Consultants, (ISHC), Association of Certified Fraud Examiners, HFTP and The Institute of Internal Auditors. In 2007 he was inducted into Strathmore’s Who’s Who and is the past Chairman of the Loss Prevention Committee for the American Hotel and Lodging Association. |
Contact: David Bleser, President Bleser & Associates, LLC. 145 Open Sky Road Austin, Texas 78737 407-590-4532 |