News for the Hospitality Executive |
Major
Hotel Groups Joining
Forces to Improve Security
of Credit Card Data Processing
CHICAGO
| September 28, 2011 – At least sixteen major hotel groups from around
the
world plan to work together to develop an industry security framework
for
handling sensitive credit card data.
Intended to dramatically improve the security of credit
card processing
by and for hotels while significantly reducing costs, the effort has
been
chartered as a working group of Hotel Technology Next Generation (HTNG). HTNG is a non-profit trade association that
has developed solutions and standards in use throughout the hospitality
industry, including interface standards for credit card processing and
security. A Unique Security
Challenge
Requiring an Industry Solution Hotel
credit card transactions are more difficult to secure than in other
industries. During the hotel reservation
process, sensitive data must often flow across systems controlled by
several
different companies -- and must be stored for weeks or months, until
the guest
departs and the final bill has been settled.
Each
company in the reservation process typically uses a different approach
to
securing sensitive credit card data. As
a result, standard security approaches such as tokenization, which can
provide
excellent security when a single company controls the systems, cannot
easily be
used for transactions that move across systems controlled by multiple
companies, as routinely occurs with hotels.
Tokenized (secure) card numbers typically cannot be
deciphered by anyone
other than the company that created them.
This means that systems must transfer actual credit card
data instead,
exposing systems at both ends of each transfer to increased risk of
hacking and
theft. Outline of the Solution While
major hotel companies have invested heavily in security within their
own
systems, they have no control over the hundreds of third-party systems
that may
touch their reservations prior to guest arrival. Top
hotel security executives met several
times to discuss this problem as the HTNG Secure Payments Framework
effort took
shape during August and early September.
Early discussions indicated a broad agreement that a
single industry
framework is needed, and that the framework needs to work with existing
security
approaches in place at major hotel companies and in commonly used
systems. There was also agreement on the
key elements
needed for the industry framework. The
group intends to document this framework conceptually in a white paper
that
will form the basis for subsequent standards development. “Every
major hotel company is working to get as many of their systems as
possible out
of the scope of the Payment Card Industry Data Security Standards
(PCI-DSS),”
said Douglas Rice, CEO of HTNG. “Most of
these companies have focused on solutions based on tokenization, and
many have
implemented them or are in the process of doing so.”
Tokenization is a process whereby sensitive
card data is stored in a single secure location, which may be operated
by a
hotel brand, a payment gateway or another third party, and replaced in
hotel
systems by substitute “tokens.” The
tokens can be used to complete the transaction, but are useless if
intercepted
electronically by a thief. This
new effort will leverage hotel companies’ prior investment in
tokenization
efforts, adding a layer of security that will enable those solutions to
be
extended to unrelated parties that may be involved in transactions,
such as
online travel agencies, global distribution systems, switches, channel
management systems, central reservation systems, management companies,
independent hotels, payment gateways, swipe devices, and other parties. “The approach is intended to enable the
tokenization of card data by the first system that touches the
reservation,”
said Rice. “The sensitive data will
remain stored in a secure vault, and all of the other systems will
simply pass
along the token in place of the credit card.
The hotel itself can then submit the token to its token
provider or
gateway to complete the card transaction.
The card data itself need never touch a hotel system.” Once
defined, the Secure Payments Framework for Hospitality can be
communicated by
supporting hotels to their technology and distribution partners,
management
companies, franchisees, payment gateways, tokenization providers, and
other
parties. Interoperability standards will
be developed (or existing standards enhanced) to support the framework. A key design consideration is that the
framework should augment rather than replace existing tokenization
approaches
in use or in the process of implementation at several major hotel
brands and in
commonly used hotel systems. Hotel Participation Many of
the world’s largest hotel companies have indicated their intention to
participate in the effort to define the framework; others are now
invited to
join as the workgroup formally launches.
Technology providers, distribution partners, and payment
processors will
not be able to participate directly in the framework development phase,
but may
engage with their customers who are represented on the workgroup to
ensure that
their interests are considered. They
will also have the opportunity to participate in the actual development
of
solutions and standards in subsequent phases.
Additional
hotel companies are invited to join the effort, and other HTNG members
may subscribe
to the workgroup’s mailing list to monitor progress.
During an initial 30-day period, signup will
be open for any HTNG member hospitality company.
Technology and payment service providers
will not be eligible to participate in the development of the
framework, but
will have the opportunity to join during later phases to help develop
the
necessary standards. Timeframe and
Deliverables The
effort will be structured as an HTNG workgroup, which will meet on a
weekly
basis to develop and document the framework in a white paper within
approximately four months. The project
will include the identification of specific efforts that may be needed
to
develop or adapt interface standards to support the framework. HTNG expects that these standards will be
developed during the first half of 2012. For More Information Visit
HTNG’s Credit Card Security page at http://www.htng.org/credit-card-security for
more information about how to join this effort or monitor proceedings,
and for other information on hotel credit card
security. The premier technology solutions association in the hospitality industry, HTNG is a self-funded, non-profit organization with members from hotel and hospitality companies, technology vendors to hospitality, and other industry members including consultants, media, and academic experts. HTNG’s members participate in focused workgroups to bring to market open solution sets addressing specific business problems. HTNG fosters the selection and adoption of existing open standards. Where necessary, it also develops new open standards to meet the needs of the global hospitality industry. Membership in HTNG is open to hotel and hospitality companies, technology vendors to hospitality, consultants, academics, press and others. Currently, more than 400 corporate and individual members from across this spectrum, including most of the world’s leading hotel companies and technology vendors, are active HTNG participants. HTNG’s Board of Directors alone represents more than 2.3 million guest rooms. Workgroup proceedings, drafts, and specifications are published for all HTNG members as soon as they are created, encouraging rapid and broad adoption. Specifications are released to the public domain as they are ratified by the workgroup. For more information, visit www.htng.org. |
Contact: Hotel Technology Next Generation Brian Larson Marketing Consultant +1 847 303 5560 www.htng.org |