Viewpoint: Why Tokenization May Be the Hotel Industry’s Best Fraud Protection

By Tony Ashe, MiFinity

It is well-recognized within the payments world that online gambling sites, payday lending outfits and multilevel marketing companies wear the label of “high-risk merchants.” But with an estimated 38 percent of all credit card fraud stemming directly from the hospitality industry, hotels have earned for themselves the unwelcome “high-risk merchant” tag, too.

In the U.S., hotels generated an estimated $177 billion in annual revenue in 2014, but the risk factors of their business are obvious: large numbers of rotating guests, reservations and card-based transactions; complex multichannel booking systems integrated with dozens of third-party tools and supplemented by paper-based documentation, frequent chargebacks, and heavy interference from hotel personnel make up just a few of the factors that make hotels susceptible to fraud.

The risks are addressed by hoteliers, of course, through a variety of security measures. Bound by the requirements of PCI DSS—hotels deploy data encryption, network firewalls, and physical security measures to mitigate their fraud risk and stay PCI Compliant.

But these approaches to financial crime prevention, while valid, clearly no longer foot the bill for the hotel market at large. High-profile instances of fraud have plagued the industry in recent years, with Hilton Worldwide, the Mandarin Oriental Hotel Group, Starwood Hotels and White Lodging Services Corporation (a franchise operator for many Hilton, Marriott, Holiday Inn, Westin and Sheraton hotel locations) all experiencing well-publicized breaches of customer credit and debit card information within the last three years.

Although hacked or otherwise infiltrated point of sale (POS) systems, chiefly at hotel restaurants, bars and gift shops, were the drivers of fraud in each of the above instances, reservation-related issues may actually be the biggest growth area for financial crime moving forward, due in part to the use of intermediaries in customer bookings and the exponential growth of third-party apps and platforms catering to hotels and their customers.

Consider a recent vulnerability in the Marriott International Android app that was spotlighted in a piece on Forbes.com. Data security researcher Randy Westergren discovered he could load any membership ID number to the app and feed it to the server to be returned with information on the associated customer – including name, reservation number, and specific hotel and check-in dates. With that data, he could log in to the Marriott system to cancel travelers’ trips or view their contact details and credit card information.

Many other reservation-related threats abound, most notably those stemming from hotel-hotel or brand-franchise interactions. For example, the process known as “chaining”—whereby hotel brands transfer consumer data from their central reservations systems to connected third parties and franchises—is a hotbed for potential security and fraud issues.

Why? Because despite what the public typically perceives as a unified brand, parity does not actually exist between corporate hotel brands and their franchises. Even if a brand’s central reservations system is compliant with the PCI DSS requirements, the systems of 92 percent of independently owned and operated hotels—with which large brands frequently chain—are not, and often lack any meaningful data security or data privacy programs, according to PCI-DSS.

With Fraud on the Rise, Hotels Look to Tokenization

Through chaining, hotel brands are transmitting cardholder data to non-compliant partners daily, and injecting no additional protections into the process beyond the data encryption required for their own PCI compliance. And sadly, even the best encryption makes for insufficient protection against cybercrime.

Encryption hides or scrambles a cardholder’s original primary account number, or PAN. But if a hacker decodes the algorithm used to mask that data, then the original PAN can, and will, be stolen. And the more touch points involved in an encrypted transaction, the higher the hacking risk.

Every time a hotel brand chains reservation information to a potentially unsecure franchise, it is unwittingly—or wittingly—putting its customers’ information (and its own reputation) at risk. Resolving the chaining challenge, and plugging other holes in hotels’ financial crime protection efforts, requires hotel brands to look beyond PCI compliance to more comprehensive data security and fraud prevention.

Augmenting existing security efforts with more sophisticated solutions is the only way for hotels to truly protect their customers (and the $550 billion in revenue they’re projected to funnel into the global hotel market in 2016). The best tool for doing that may be a financial security instrument that’s been underutilized in the hospitality sector thus far: tokenization.

Tokenization safeguards payment card data by substituting a cardholder’s PAN with a randomly generated, one-time, virtual card number—i.e., a token—and bundling it with business rules for its exact use (where, when and by whom). Because the token is uniquely generated for one specific transaction, there is no way to trace it back to the original card number or use it for any purpose beyond its intended use.

Without PAN exposure, the fraud risk associated with chaining goes down significantly: A brand that transmits only tokenized transaction information to its franchise hotels doesn’t have to worry about those franchises (or any hackers) unencrypting, mishandling or misusing customer card data. The one-time-use virtual card number is simply transacted by the franchise in place of regular card information—eliminating the original cardholder data from the process entirely.

New Tools Meet the Unique Challenges of the Hotel Market

While no efforts can ever completely eliminate a business’ financial crime risk, tokenization—if implemented smartly—can vastly minimize hotels’ fraud risk exposure. But finding the right solutions provider is key. A number of vendors push some form of a tokenization product, but not all of them can be adapted to meet the unique needs of the hotel sector.

At MiFinity, we’ve coupled our feature-rich proprietary data processing platform with an e-money license and issuers of Visa, MasterCard and China UnionPay—affording us the flexibility to switch source funding (PAN or bank account) per each tokenized card instance. That capability is well-suited to the preferences, needs and emerging opportunities of the hospitality sector, since hotels are commonly expected to accept a wide variety of currencies and account and payment types from a global traveler base. Our ability to incorporate a wide variety of business rules and situations into a tokenized transaction also provides value to hoteliers, since they can utilize a virtual card number to hold a reservation (or run authorized post check-out charges for incidentals and the like) while still protecting the cardholder’s data from potential misuse.

Reducing losses, and bolstering financial crime protections across the board is vital for hotels—and not just for their revenue performance. Even just one headline about a security breach at a given hotel—or related settlement, like the one Wyndham Hotels just reached with the Federal Trade Commission—impacts consumer perception.

And in such a high-risk sector, the question of who’s at fault for a chaining-related fraud incident—brand or franchise—is beside the point. Since the general public doesn’t always understand the relationship between a corporate brand and its franchises, it’s the hotel brand that always takes the hit to its standing with consumers in an instance of financial crime (no matter which party was responsible for the security lapse).

In that sense, tokenization may be the best way for hotels to protect their finances, their guests and their reputations.

Anthony C. Ashe is a veteran executive whose leadership positions and managerial experiences have encompassed successful initiatives in business development, marketing, sales and project management at leading banks, financial firms, airlines and payments companies. Ashe currently serves as a principle shareholder and executive vice president of MiFinity Payments, which specializes in global funds movement and currency trading. Tony served as a member of the NASD, SEC, a registered investment adviser and an accredited asset management specialist. He can be reached at [email protected]m.

In Viewpoints, payments professionals share their perspectives on the industry. Paybefore’s goal is to present many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.