The project achieved its original objective of defining a viable, cost-effective approach to ensuring that no hotel system should ever need to process, store, or transmit payment card data.
HTNG is pleased to announce the release of the “HTNG Secure Payments Framework for Hospitality.” The result of nearly 18 months of dedicated effort by a workgroup consisting entirely of security experts from major hotel companies, the Framework promises to improve payment card security across the industry, and to greatly reduce the cost and complexity for hotels to comply with Payment Card Industry Data Security Standards (PCI-DSS). The Framework was approved by formal vote of the Secure Payments Framework workgroup.
The project achieved its original objective of defining a viable, cost-effective approach to ensuring that no hotel system should ever need to process, store, or transmit payment card data. Achieving this objective removes the most difficult and expensive aspects of PCI compliance for hotels. While some larger hotel companies may still choose to retain sensitive payment card data in certain systems, the Framework allows this to become a conscious choice, rather than a unavoidable risk.
The Framework will be unveiled at HTNG’s North American Conference on the afternoon of Wednesday, February 27 in Atlanta. Three of the participating hoteliers will present the Framework. Security experts from Trustwave and Verizon will participate and weigh in with questions and comments.
The Framework creates significant new business opportunities for vendors and service providers who already operate within PCI scope, such as payment gateways, merchant acquirers, and payment terminal manufacturers. The objective is to let hotels focus on hospitality, and to effectively “outsource” the handling of payment cards to the payment services industry, which is better equipped to handle them securely. This is achieved through extensions to the use of tokenization well beyond current implementations, as well as through point-to-point encryption and other innovations. Payment-aware hospitality application vendors such as PMSs and POS systems are expected to be able to implement the Framework with minimal effort, because it is built upon the foundation of approaches that are already widely supported in the industry.
Numerous leading PCI-qualified security assessors (QSAs) in North America and Europe have reviewed key aspects of the HTNG approach over the past 18 months at the request of participating hotel security executives and HTNG. Several of the QSAs also reviewed final drafts of the Framework document. Their opinions to date support the belief of participating hotels: that the Framework incorporates known best practices, and – when properly and fully implemented – can remove hotel systems from the scope of onerous PCI validation requirements. Today, those requirements typically apply to Property Management Systems, Point of Sale systems, Central Reservations Systems, booking websites, e-mail systems, fax servers, and other applications commonly used by hotels. Both HTNG and the QSAs caution hotels, however, that even though their systems may be taken out of scope for PCI compliance by implementing the Framework, other PCI requirements still apply, as with any merchant that accepts payment cards.
The HTNG effort builds upon, rather than replacing, extensive payment security solutions that several major hotel groups and vendors have already implemented. In particular, it supports all known variations of “tokenization,” a widely used concept in which sensitive payment card data is replaced by a token, or marker. The token can be used by a hotel to process payments, but is worthless to a thief. The Framework also incorporates emerging payment card industry approaches for card capture (e.g. swipe devices) based on point-to-point encryption (P2PE). But it also solves challenges that even the largest hotel groups have found difficult or impossible to address through tokenization or P2PE, including:
- Accepting third-party reservations containing payment card information, without exposing at least one hotel systems (and often many) to sensitive card data
- Allowing customers to provide payment card data during voice reservation transactions, without exposing the agent, call center system, or call recording systems to the scope of PCI
- Allowing unrelated business entities (e.g. brands, franchisees, OTAs) to send reservations with payment card data, without exposing either party’s systems to sensitive card data, and without requiring the parties to use the same security approach, tokenization provider, or payment gateway
- Accepting payment card data through hotel web sites without bringing any hotel systems into scope
- Accepting information submitted by customers through e-mail, fax, or document upload (e.g. meeting planner spreadsheet), without exposing hotel systems to PCI scope
- Supporting research of credit card transactions by hotel staff, such as for dispute investigation, without bringing hotel systems or networks into PCI scope.
The Framework identifies the need for new payment products and services to meet certain unique needs of the hotel industry. Several participating hotel companies have already begun discussions with their payment service providers and device manufacturers to develop these products and services. They have reported significant support from their partners and expect some of them to announce new products and services to meet these needs in coming months.