The summer travel season is in full swing, but if your vacation plans include staying at a hotel, be sure to check if the hotel is PCI compliant before checking in.
What is PCI compliance?
PCI DSS is shorthand for Payment Card Industry Data Security Standards. All hotels that accept credit and debit cards should adhere to the standards, as required by the major credit card companies. It assures the card companies and customers that important identity theft precautions have been taken on your behalf including installing firewalls, monitoring for malware and other basic precautions that you likely take with your own home network.
If you’re thinking that’s a no-brainer, of course large hotel chains are PCI DSS compliant, consider this information from Consumer Reports: The Federal Trade Commission (FTC) has brought 32 actions against corporations and organizations including Wyndham Worldwide which, according to the FTC, was hit by Russian hackers three times in 2008 and 2009. The credit card numbers of hotel guests were stolen, resulting in $10.6 million in fraudulent charges.
Wyndham tried to have the FTC case against it thrown out earlier this year, but a judge allowed the case to move forward. Michael Valentino, vice president of marketing and communications for Wyndham Worldwide told Consumer Reports, "We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security. We intend to defend our position vigorously.”
Edith Ramirez, chairwoman of the FTC, responded, “I’m pleased that the court has recognized the FTC’s authority to hold companies accountable for safeguarding consumer data, and we look forward to trying this case on the merits."
So, where does this leave you? The smart consumer is proactive. If you’re making a reservation online, check to make sure the website and the hotel that you’ve chosen are compliant. If you’re making a reservation by phone, ask the reservation agent. If the agent doesn’t know, ask to speak with the hotel manager. There’s also a website that allows you to check companies for compliance, Privacy Atlas. A spot check of five properties on Privacy Atlas showed zero compliance.
If you’re having trouble verifying whether a hotel is PCI DSS compliant, you may want to go the old fashioned route—copy your grandparents by carrying traveler’s checks.
Vacations are supposed to be fun and relaxing. Don’t allow the afterglow of your travels to be spoiled by learning that you’ve unknowingly helped out a hacker.