The hospitality industry faces significant risks from card fraudsters…but there’s hope

by Laura Miller
President
Chase Merchant Services Commercial Banking Segment

Payments fraud continues to increase across industries. A record 82 percent of organizations reported payments fraud incidents in 2018.1 And, according to the American Hotel & Lodging Association, more than half of all credit card fraud takes place within the hospitality industry – with total losses approaching $3 billion annually.

While chip-enabled cards safeguard the physical front desk against counterfeit card fraud, fraudulent online hotel bookings are expected to increase in the coming years. Industry estimates suggest online booking fraud could increase by as much as 25 percent.2 The hospitality industry is considered to be a major source of the compromised card credentials criminals use to commit counterfeit card fraud.

PROTECTING YOUR BUSINESS

Unlike in the movies, most crimes are not elaborate jewelry heists committed by attractive but wayward protagonists who engage in witty repartee. They are crimes of “opportunity.” A criminal spots an opportunity to steal and they take it. Card fraud, virtual or physical, is the same.

The good news is there are steps you can take to protect your business. You can minimize your fraud risk in a few simple steps, freeing you to focus on other, revenue-generating aspects of your business.

The first step is to take the Payment Card Industry (PCI) Security Standards Council Self-Assessment Questionnaire to help you evaluate your security practices and determine where you have gaps. The council also provides a list of best practices that hoteliers can use to help protect their business:

• Replace default passwords with strong passwords and regularly update them.
• Protect card data and only store what you need.
• Inspect payment terminals for tampering and discontinue use of compromised equipment.
• Use trusted business partners and know how to quickly contact them and escalate issues.
• Install patches and updates provided to you by your software vendors.
• Strictly limit in-house access to card data (and know the employees who do have access).
• Don’t give hackers easy physical or digital access to your systems.
• Use reputable antivirus software and install the updates they provide to you.
• Regularly scan for vulnerabilities and fix issues.
• Use secure payment terminals and solutions.
• Use a firewall to protect your business from internet intrusions.
• Encrypt data to make it useless if stolen by criminals.

Not every data breach is caused by malicious criminals. According to the 2018 Cost of a Data Breach study published by IBM and the Ponemon Institute, only half of all data breaches are due to malicious or criminal attacks. Human error and system glitches account for the remaining half. Regardless of their root cause, the PCI Security Standards Council’s best practices strengthen your defenses against the financial and reputational cost of a data breach.

BEST PRACTICES FOR THE LODGING INDUSTRY

There are unique rules in place for credit card processing in the lodging industry. These rules help protect the cardholder, but they also can protect you from fraud. Knowledgeable criminals know sophisticated ways to “game” the system. These rules can help you stay one step ahead:

1. If a guest’s charges exceed the initial estimated authorization amount obtained at check-in, always obtain an incremental authorization approval for the additional transaction amount.
2. If a stay extends beyond two weeks, you should settle the transaction and obtain authorization for a new transaction.
3. If a guest “purchased” additional items during their stay (e.g., mini bar items), you must provide the cardholder an amended receipt and process the transaction within 24 hours after checkout.
4. In the case of damages to property, the cardholder must expressly approve the charge before the merchant processes the transaction.
5. In the case of Dynamic Currency Conversion (when/if you display the purchase price in the cardholder’s own currency), the cardholder must be offered a choice to accept or decline DCC and must actively choose the DCC option prior to the transaction being processed.

FRAUD HAPPENS. WHAT’S NEXT?

So, what should you do if, despite your best efforts, you do experience fraud or a data breach? First, quickly identifying and containing the activity will reduce the impact to your business’s reputation and to customer trust. Here are the specific steps you should take if fraud does occur:

1. First, call your merchant provider and notify them immediately of any suspected fraudulent activity. They can work with you to help identify the cause and then develop a strategy to help contain it. They may advise you to engage your property management system (PMS) and gateway solution providers.
2. Once the issue has been contained, you should work closely with your merchant provider to identify potential security vulnerabilities and implement more robust security measures to help prevent future fraudulent activity.
3. Finally, depending on the scope of the fraud or breach, you may be advised to alert the Payment Brands (e.g., Visa, Mastercard) and the PCI council.

THE HUMAN FACTOR

Just like in the lodging industry, sometimes nothing can replace the ability to interact with a knowledgeable professional. Chase’s unmatched expertise in security and fraud mitigation and our client support model prevent most fraud before it occurs. That combined with our firm’s more than $11 billion investments in technology and data insights help us keep our clients safe. By helping you prevent fraud, we not only help protect your reputation – and ours – we can help you minimize transaction costs and optimize your revenue.

1. AFP Payments Fraud & Control Survey, 2019
2. Kount, eBook: Fraud Takes Off In The Travel And Leisure Industry