Here we go … more thoughts on the Coronavirus (COVID-19). Nope, I would rather leave that to the Center for Disease Control to keep us informed ( But I warn you that I will add a link to the end that Mike Dickersbach posted on LinkedIn. The post said that maybe we need to balance our thoughts on the virus. From the business side we all are wondering what lies ahead especially after ITB Berlin cancelled three days out when many of the 160,000 attendees were already on their way to Berlin. Will more events be cancelled moving forward? Will attendance at some events be lighter? Will some exhibitors cancel their booths at upcoming tradeshows? Who can be sure what lies ahead? People do what they think is best for their businesses in all industries, not just the hotel and travel world.

Hospitality Upgrade has an event coming up in a few weeks, the Executive Vendor Summit which is being held in Nashville starting March 25. I bring this up because surprisingly, or maybe not that surprisingly when you think about it, this is going to be our biggest crowd ever. Then I thought what a great way to send a message. The event is for those who supply technology solutions to the hotel industry. Their success is dependent on the hotel industry being successful. I have always thought some lead and some follow, and I am glad that so many who will be joining us at EVS can be looked at as true industry leaders. We will make sure everybody knows who they are, and I encourage you to follow Hospitality Upgrade as we get their thoughts on this segment of the industry and how they see the future. There are days that you can’t help but feel proud of what you do. We thank these leaders for their support and being part of our world.

As promised, here is Mike Dickersbach’s post, maybe the fear of COV-19 can be balanced a bit? Take a minute and read through it. I found it quite interesting, .

Now on the business side let me say that Doug Rice in his Definitely Doug blog that follows did a masterful job explaining how hotels get breached and more importantly the changes that are happening to have you avoid it happening to your business. I thought I knew this subject quite well, but I learned a lot from his explanation. Of course, then we follow Doug with the latest news in the world of technology for the industry and it is nice seeing such positive and interesting things happening. I encourage everyone to deal with today, but not forget to focus on the future. We have gone through times like this in the past and we will get through this also. Be positive, I know I will continue to be! See you at the end with one more try at you-know-what. Someday we will hit a home run!




Definitely Doug

Can Hotels Finally Secure Payment Data?

It was 12 years ago that the hotel industry first experienced a large breach of payment card data. Hotels and technology vendors have made very significant efforts since then, yet it is hard to identify a major hotel group that has NOT suffered at least one incident, and many breaches have been quite recent. Despite all the efforts, the Verizon 2019 Data Breach Investigation Report says that the accommodation industry is still the most common victim for Point-of-Sale (POS) intrusions (and based on their terminology, this includes breaches of Property Management Systems as well as POS systems). As much as hotels have improved security, hackers have improved their own methods to keep pace.

Much of the industry’s improved security can be credited to the implementation of tokenization solutions. Hotel systems can replace sensitive payment card data with what is essentially a reference pointer (called a token) to the actual card data, which is itself stored securely, often on a third-party site. The tokens are useless to a thief, so POS and Property Management Systems (PMSs) that use tokens (and don’t otherwise touch payment cards) cease to be targets. Most of the larger hotel groups have implemented tokenization, many following approaches recommended in the HTNG Secure Payments Framework for Hospitality. That framework was developed in 2011-12 and published in early 2013 after CIOs of several major hotel groups called on HTNG to develop a common industry approach to securing payment card data and identified the need for many of the solutions that have come to market since.

Tokenization efforts by hotel groups have focused mainly on the systems they manage themselves, usually including central reservations systems (CRSs) and loyalty databases and in many cases PMSs, but often excluding property-managed systems such as POSs and some PMSs. Vendors have stepped in to fill some of these gaps; many PMS and POS systems can now be deployed either without touching payment card data in the first place, or with support for tokenization solutions from various payment gateway providers.

Secure capture page services have also become commonplace; these are website and mobile app plug-ins that can securely collect payment card data. When a user needs to enter payment card information online, the secure capture page collects, processes, and (if needed) tokenizes the card data without that data ever being exposed to the hotel website or app.

The concepts behind these solutions are simple: move all sensitive payment card data into an isolated system that can be properly managed by security professionals. A few larger hotel groups do this in-house, while a much larger number use third party companies that specialize in the payments process.

Still, there are common gaps that expose hotel systems to raw payment card data and create risks of a breach. They also force costly and time-consuming compliance with the Payment Card Industry Data Security Standards (PCI-DSS). CRSs and PMSs receive bookings from third parties like online travel agents (OTAs) that often include raw payment card data. Although the card information can be tokenized before storing it in the hotel system, the raw card data is necessarily present while performing the tokenization. That means the hotel system has access to payment data – and can be breached.

Many hotels still use paper forms for credit cards, such as for event bookings and third-party room guarantees. These forms not only create a paper-trail risk but also require the manual entry of raw payment card data into a system, which then becomes a target for hackers. Meeting planners may email spreadsheets with rooming lists containing credit card numbers for individual guests. Hotels and contact centers take payment card data by phone (often on recorded lines) or by insecure email, meaning that recordings and email logs are vulnerable. Commercial and in-house solutions to these issues exist, but the in-house solutions bring at least some hotel systems back into the scope of the PCI-DSS requirements, increasing compliance costs and making the systems targets for breaches. Commercial solutions have improved, but historically they have been closed ecosystems around a single gateway or processor, requiring the hotel company to use a single provider and/or their preferred partners at all locations, which is impractical for many geographically dispersed hotel groups given that none of the providers are truly global.

The major hotel companies have addressed these issues in varying degrees, but often have little or no control over what happens at franchised hotels. Global brands often face additional gaps because they have hotels located in less-developed geographies where their primary service providers (gateways, acquirers, tokenization services) may not be supported. For example, the CRS may be able to tokenize a payment card in a reservation for an overseas hotel, but that hotel’s payment partners won’t have the ability to detokenize it. As a result, the CRS needs to detokenize it before sending it, again meaning the CRS is processing sensitive data, which tokenization is intended to prevent.

Independent hotels and regional groups have better options in many parts of the world, since they only need a solution that works in a single country or region (such as Shift4 in the United States), and some providers offer fairly comprehensive payment security suites. Often, companies like this work with local PMS and POS vendors and can provide good options for keeping payment card data out of those systems. Still, most can’t handle the “arrival” of payment card data into the system, such as when it comes from a central reservation service, an OTA, or via email, telephone, or spreadsheet.

This week I will look at some of the new tools that have emerged in in the past year or two to address some of these issues. Some of them won’t be practical for direct adoption by independents or smaller hotel groups, but many of the providers work with partners in the PMS or POS community. Knowing that the capabilities exist, even smaller hotel groups can have informed conversations with their PMS or POS vendors to see if they do or can offer or support these or similar solutions.

In 2013, the Secure Payments Framework for Hospitality identified a pressing need for a service that could intercept en route (such as between an OTA and a PMS) interface messages that contain payment card data, then replace the payment card data with a token and forward it on to the hotel PMS so that that system never had to touch raw payment card data. I’ve been looking for such a service ever since, and finally I found one. The PCI Shield product from PCI Booking does exactly this, accepting inbound reservation messages from channel partners, tokenizing the payment card, and forwarding the message on. PCI Shield also provides secure payment card capture from websites and mobile devices (many other providers also do these). It offers a solution for contact centers, where a secure payment link can be sent to the customer via email, text, or chat in real time. It works on outbound messages as well, reinserting the actual payment card data in place of the token, such as for sending a reservation from the CRS to a hotel that uses a different processor. I was very pleased to finally see such a solution. It still needs some work to meet all the needs of some hotels, but it is a major step forward. With many hotels getting 40% or more of their bookings from online channels, this represents a major exposure.

Another service from Sertifi addresses the challenge of eliminating paper-based payment authorizations, such as for group bookings or when a non-guest wishes to pay for someone else’s room. Sertifi added a secure payment capability to its preexisting e-signature products, for example enabling a meeting planner to sign off on a contract and submit payment through a single secure system. Sertifi can work with the hotel’s existing token provider and integrates with many PMSs and some sales and catering systems (if not interfaced, the hotel can securely view the payment card information and input it manually, although depending how this is done it may expose the PMS to the raw data). Sertifi can also support alternative payment methods such as Apple Pay and Alipay (assuming the hotel’s processor can).

Idem Hospitality has a good solution for secure entry of payment card data by meeting planners or group delegates, particularly where each guest needs to provide a credit card for room guarantee or deposit. The meeting planner can enter a rooming list, or individual guests can book into the group block, with payment handled securely. Idem eliminates the need for meeting planners to send spreadsheets and can bypass the need for customization of a reservation system to handle individual bookings into group blocks. Integration of payments also makes it simple for hotels to offer group delegates a broader set of options for prepayment and upselling.

For email reservations (which are still much more common than you might guess), Hotel Res Bot’s HERA solution provides a means of securing the payment data. HERA is an Artificial Intelligence solution that provides automated or semiautomated responses to email reservation requests, parsing and clarifying details in freeform text to enabled automatic entry into the PMS. To avoid having the customer send payment card information by email, once the request is fully clarified, the “bot” can send a confirmation with a secure payment link, keeping the payment card data out of the hotel system.

Most hotel groups rightfully want to get out of the business of managing credit cards in their own systems, and with tools like these, more of them can.

These tools can be extremely useful to some hotels in reducing exposure to credit card breaches, but for most hotels, gaps will still remain. Hackers most often gain entry by finding the weak point in a hotel’s network – whether it is the CCTV system, the PBX, or the parking system, or something else. They use remote access and default or stolen login credentials. Once into the first system, they then traverse the internal network to find systems that have sensitive data. Network segmentation can help prevent this, by making every message from one system to another traverse a firewall. Universal multi-factor authentication can make remote entry much more difficult. However, few hotels are equipped to manage security measures like these internally. So, it’s encouraging to see service providers such as Security Validation now offering security as a managed service. These practices can protect not only payment card data, but all personal guest data.

More innovation and product development are still needed in payment security, but 12 years after the first major breach, I can finally see some light at the end of the tunnel.

Douglas Rice
Email: [email protected]
Twitter: @dougrice



Recent Headlines, from Hospitality Upgrade and Hotel Online

Corporate News
– INTELITY Named Official Mobile and In-Room Technology Provider by Forbes Travel
– Sabre Announces Strategic Priorities Designed to Accelerate Growth
– Hotel Effectiveness Wins ALIS Tech Challenge and Named Hottest Technology in 2020
– Global Hotel Alliance Partners with Shiji Group to Bring Advanced Technology to Independent Hotel Brands Worldwide

For more information on Corporate News for 3/6/2020

People on The Move
– Clairvoyix Strategist Joins HSMAI as VP of Social Media
– Fuel Appoints Susan Spivey to the Role of VP of Business Development
– Leading Travel and Hospitality Consulting Firms Consolidate to Form PROVision Partners International
– IHG® Appoints Daniel Blanchard as New Chief Technology Officer
– Tourism and Hospitality Instructor Joins RoomKeyPMS’ Implementation Team

For more information on People On The Move for 3/6/2020

Guest Management Systems
– Hotels Worldwide Check into Cloud with Oracle
Hoteliers know they must deliver exceptional experiences to keep guests happy and loyal. To do so, hospitality brands are choosing Oracle Hospitality OPERA Cloud services to personalize guest experiences, offer new and innovative services and empower staff to provide guests with high-touch customer service anytime, anywhere.

– Maestro PMS’ Users Conference Is One of a Kind, Leverages a Culture of Innovation and Service to Deliver a High-Value Experience for Independent Operators
Maestro PMS had a record turnout at its most recent users conference in the world class city of Toronto. Maestro, the preferred hotel software system for independent operators, has educated and entertained its clients at its user conferences for over 15 years.

Reservations & Distribution
– The Waterfront Beach Resort, a Hilton Hotel, Sees Six-Figure Revenue from Partnership With ResortPass
What started as a way to fill a few pool loungers and cabanas quickly becomes a profitable new opportunity for an award-winning property that now offers a variety of daycation experiences to guests.

Revenue Management
– IDeaS Extends Platform to Encompass Total Revenue Forecasting Technology, Transforming How Hotels Plan and Budget

IDeaS Revenue Solutions, the world’s leading provider of revenue management software and services, announced today IDeaS RevPlan™, a cloud-based module built to complement its flagship RMS products. The module is designed to take the pain out of budgeting and forecasting a hotel’s total business, including food and beverage outlets.

– YOTEL, Duetto Enter Tech Partnership
YOTEL, the innovative global hospitality brand for smart, tech savvy travelers, has partnered with Duetto, a leading provider of cloud-based Revenue Strategy applications, to streamline its revenue processes and maximize profitability across its European operations.

– IDeaS Delivers Leading Guidance and Support to Hoteliers Facing COVID-19 Demand Disruption
IDeaS, a world leading provider of revenue management software and services, has scheduled a webinar for March 10, 2020 as part of its continued efforts to aid its clients and the global hotel industry.

Guest Facing Technology
– New Wayfinder for Digital Signage from Uniguest Will Revolutionize Guest Engagement
Uniguest, a leading hospitality engagement technology provider, announced the launch of Wayfinder. The Uniguest Wayfinder solution can be used with supported interactive digital signage displays, single-purpose tablets or digital whiteboards. Wayfinder is an extension of the Uniguest content solution that provides an interactive touchscreen map for guests.

– Visrez Reaches 1,000 Clients Worldwide
Visrez has solved the problem of how to capture visual assets on-site and the company is widely regarded as one of the finest innovations of its kind.

– commingle:engage Provides Marriott Hotels Social Media Marketing & Brand Compliant TripAdvisor Guest Review Responses From $499
Marriott services include fully managed weekly postings on Facebook, Instagram, and Twitter along with responding to all TripAdvisor guest reviews 7 days a week.

Sales & Catering, Groups & Meetings
– UgoVirtual Event Platform Provides Robust Alternative to Onsite Meetings for Challenged Global Hotel and Travel Industry Event Planners
UgoVirtual, a comprehensive online platform designed to meet the growing virtual travel and event management/hosting needs of the global travel and hospitality sectors, is providing a timely alternative to onsite events that have come under scrutiny in light of recent global health concerns surrounding the Novel Coronavirus (COVID-19).

Back Office
– High Hotels Maximizes Performance Forecasting, Business Intelligence and Data Management Efficiency with ProfitSword Partnership
ProfitSword, one of hospitality’s premier developers of business intelligence and data integration software, has partnered with High Hotels to implement its ProfitSage operational and financial reporting platform at all properties that the hotel management company currently oversees.

– Atlanta Evergreen Marriott Conference Resort Expands Use of Clear Sky Software’s Money-Saving Inventory Systems
Clear Sky Software, Inc.® announced today that The Atlanta Evergreen Marriott Conference Resort has expanded its use of Clear Sky Software’s money-saving inventory systems.

Communications and Infrastructure
– Radisson Fort Worth North-Fossil Creek Ensures Fast and Seamless Guest Wi-Fi Connectivity with Advanced Network Upgrade by Hotel Internet Services
Hotel Internet Services (HIS), a full-service provider of internet services and solutions for the hospitality industry, has announced the successful implementation of an advanced Wi-Fi service upgrade at the Radisson Fort Worth North-Fossil Creek.

Food & Beverage
– Restaurants Serve Up Agility and Reliability with New Oracle Tech
The food and beverage industry is constantly challenged to meet changing demands without impacting great service. Some of these businesses need the flexibility to field a pop-up shop or food truck to extend their brands, while others must speed the ordering process to cut customer wait times. To help meet all these needs and more Oracle unveiled its new MICROS Workstation 625 and 655 Point-Of-Sale systems at Oracle Food and Beverage Connect.

– Sofitel London Heathrow Turn Around Their Daily Operations With Knowcross
Knowcross, a global leader in providing service quality and optimization solutions for hotels, is thrilled to share that Sofitel London Heathrow, has decided to implement the Knowcross platform to increase operational productivity and enhance the quality of guest service. This addition further reinforces the company’s position as the most preferred service quality management platform of hotels all across Europe.

– Resort Collection Selects Full Beachy Product Suite to Enhance Guest Service and Improve Operational Efficiency at Its Edgewater Beach and Golf Resort
“Beachy understood precisely what was necessary to improve guest service, keep our service teams happy, and increase our revenue at the beach and pool by more than 250%,” said Paul Wohlford, Vice President of Business Development at Edgewater Beach and Golf Resort.

Human Resources
– Beekeeper and Whispr Bringing Augmented Intelligence to Frontline Workers
As a hospitality innovation leader, this operational communication company is shaping the future workplace for frontline workers by anticipating technological trends and developing real-world solutions with its partners

– Wood Hotel Selects ASSA ABLOY Global Solutions to Provide Guests and Residents with Latest in Security Access Technology and Design
ASSA ABLOY Global Solutions has announced the successful implementation of VingCard Essence Mobile-Access ready door locks at the newly constructed Wood Hotel in Brumunddal, Norway.

Hospitality Events and Association News
– HFTP to Assist Postponed HITEC Europe Exhibitors
Hospitality Financial and Technology Professionals (HFTP®), the producers of HITEC®, announced today that exhibitors and sponsors who were confirmed to participate in HITEC Europe 2020 will be offered a complimentary branding package for HITEC North America, scheduled for 15-18 June 2020, San Antonio, Texas, USA.

– HFTP Announces Postponement of HITEC Europe 2020
Hospitality Financial and Technology Professionals (HFTP), the producers of HITEC, announced that HITEC Europe 2020 has been postponed in response to the global uncertainty related to the Novel Coronavirus and its immediate impact on the hospitality industry. The event, which was planned for Mallorca, Spain 21-23 April, is Europe’s premier hospitality technology event.

Market Reports
– Hotels Scrape Out Profit Growth in January Amid Coronavirus Concern
U.S. hotels eked out a 0.6% year-over-year increase in GOPPAR in January, but as the full scope of the coronavirus virus becomes clearer, subsequent months could put pressure on hoteliers to generate both top- and bottom-line growth.


Piqued Our Interest

More Conferences Canceled, Tech Companies Impose Travel Bans over Coronavirus Concerns

Robots are Taking Over Hospitality Industry

Personal Info of 10.6M MGM Hotel Guests Published on Hacking Forum

Hotel Managers and Owners Be Warned – You are Responsible for Your Hotel’s Data Security


And now for you-know-what.…

In a crowded city at a busy bus stop, a woman who was waiting for a bus was wearing a tight leather skirt.

As the bus stopped, and it was her turn to get on, she became aware that her skirt was too tight to allow her leg to come up to the height of the first step of the bus.

Slightly embarrassed and with a quick smile to the bus driver, she reached behind her to unzip her skirt a little, thinking that this would give her enough slack to raise her leg.

Again, she tried to make the step only to discover she still couldn’t. So, a little more embarrassed, she once again reached behind her to unzip her skirt a little more.

For the second time she attempted the step, and once again, much to her chagrin, she could not raise her leg. With a little smile to the driver, she again reached behind to unzip a little more and again was unable to make the step.

About this time, a large Texan who was standing behind her picked her up easily by the waist and placed her gently on the step of the bus.

She went ballistic and turned to the would-be Samaritan and screeched, “How dare you touch my body! I don’t even know who you are!’

The Texan smiled and drawled, “Well, ma’am, normally I would agree with you, but after you unzipped my fly three times, I kinda figured we was friends.”