Hotel Online
News for the Hospitality Executive


The PCI Veil of Secrecy Has Been Lifted...A Little

By Dave Bleser
April 2011

At the recent Information Protection and Privacy Conference including PCI Conference that I recently hosted at the 2011 Hospitality Law Conference Bob Russo, General Manager for the PCI Security Standards Council lifted the veil of “secrecy” surrounding PCI a little bit.  He acknowledged two things that I think the hotel industry should take notice of.  One, he agreed “chip and pin” was effective for person to person transactions.  If that is how the PCI Standards Council feels then why has the U.S not yet adopted this requirement like so many other nations?  Why has the council not publicly pushed for its adoption?  

Mr. Russo also agreed that it is purely arbitrary as to how the fines are determined and administered when there is a breach.  These two admissions by Mr. Russo help to confirm the perception that exists in our industry… the PCI Standards Council was initially created to protect credit card numbers from being obtained fraudulently but now they see it as a significant source of revenue. 

Did you know there are no published guidelines/declarations for how far back the PCI Council can audit a business when there is a breach?  What happens if during their audit they find an area that is susceptible for a breach that is totally unrelated to the cause of the current breach?  Can they fine the business for that as well?  How much is the fine? 

There is not one person from a company other than the credit card companies that sits on the Executive Committee or Management Committee for PCI?  Essentially the fox is guarding the hen house.

According to their very own website, the PCI Council “is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS),” Think about it for a moment. The training they offer is not industry specific. They refuse to disclose how the breaches occur and what steps the hotel industry should take to prevent similar breaches from occurring.  That information would be educational to our industry and they wouldn’t have to identify the hotel.  How can we as industry protect ourselves from breaches when we don’t know how they are happening? 

They also want to raise the awareness of the standards and penalties.  For the past two years the organizers of the Hospitality Law Conference have invited representatives from the credit card companies to come hear the industry’s concerns.  They have refused.  Why?  If they truly want to be our “partners” then they should be willing to sit down in a public forum and address our concerns.  This would go a long way in raising the awareness and educating the industry as a whole.

Then there is the issue with chargebacks.  The information needed to be kept by the hotels in order to win the chargeback violates the new privacy laws recently enacted by several states.  So how is the industry supposed to protect themselves from this expense?  

I agree that protecting sensitive guest information is good business. There are policies and procedures that hotels can implement in order to reduce their exposure to this type of loss. But with dollars limited we need to know where best to spend those dollars.  The unwillingness of the members of the council to have an honest discussion with the industry and their unwillingness to have clear and defined standards for the issuing of fines, can only lead one to conclude that the members of the council view the PCI standards more as a revenue generator than being a good business partner.

About the Author:
David M. Bleser, President of Bleser & Associates, LLC. provides comprehensive, customized programs for the hospitality industry that are designed to help his clients achieve maximum asset valuation.
A United States Marine Veteran of Operation Desert Shield and Desert Storm, he graduated from the University of South Carolina with a bachelor’s degree in Hotel, Restaurant & Tourism Administration. 
As a nationally recognized authority on fraud within the hospitality industry, he conducts numerous fraud / identity theft presentations throughout the country each year.  His extensive knowledge on operational policies and procedures has led him to write numerous articles regarding internal fraud for several hospitality publications.
He is a member of the prestigious, invitation only, International Society of Hospitality Consultants, (ISHC), Association of Certified Fraud Examiners, HFTP and The Institute of Internal Auditors.  In 2007 he was inducted into Strathmore’s Who’s Who and is the past Chairman of the Loss Prevention Committee for the American Hotel and Lodging Association.


David Bleser, President
 Bleser & Associates, LLC.
145 Open Sky Road
Austin, Texas 78737

Receive Your Hospitality Industry Headlines via Email for Free! Subscribe Here

To Learn More About Your News Being Published on Hotel-Online Inquire Here

To search Hotel Online data base of News and Trends Go to Hotel.OnlineSearch

Home | Welcome | Hospitality News
| Industry Resources

Please contact Hotel.Online with your comments and suggestions.