Hospitality is one of the most vulnerable sectors when it comes to data threats. The hotel industry in particular is among the highest sufferers of data breaches across any sector, due to the highly desirable nature of the information that it processes.
However, if any business interacting with the public has inadequate data protection policies and practices in place, you could unwittingly be giving cybercriminals easy access to customer names, addresses, mobile numbers, card details, passports, driving licenses, car registration plates – to name just a few. Furthermore, if customers need to provide personal details to access your Wi-Fi network, their email address and password will also be at risk.
This is why the EU General Data Protection Regulation (GDPR) & PCI (Payment Card Industry) regulations have been developed – to ensure that adequate data protection is incorporated into the process of collecting and maintaining personal data.
- Payment Card Industry Data Security Standard (PCI-DSS) is an international security regulation, developed in cooperation with credit card companies to regulate the security of storing, processing, and transmitting transaction and personal details.
- From 25th May 2018 GDPR (General Data Protection Regulations) were implemented in the European Union. This regulation was adopted to extend and strengthen the rights of all EU citizens and residents concerning the collection, storage, and processing of their personal data by companies and organisations. Personal data included an extensive list of details like a person’s name, passport number, bank account number, email address, IP address, etc.
But what are the consequences?
Imagine a data security breach that puts guest or customer information and credit card details out in the open. Other than high financial penalties, your business can suffer huge losses on brand reputation. This is especially important if you are connected to a larger chain or franchise chain, the consequences could be severe.
If you accept credit card payments, you are legally obliged to comply with PCI (Payment Card Industry) compliance. If you fail to meet these obligations, you can lose your right to accept credit card payments. The results of this are self-explanatory in today’s online payment landscape.
So where do we start?
The best place to start is with a security audit, to review all current practices to ensure they are fit for purpose under the GDPR and/or PCI regulations.
- Regularly change passwords for admin logins. This should be standard protocol but is often ignored by business owners and a basic data security error, which could give cybercriminals easy access to your systems and databases.
- Keep guest Wi-Fi separate from the business Wi-Fi network. Ensuring the networks are separated, means that different security policies can be applied and reduces the chances of a hacker masquerading as a guest in order to access sensitive information.
- Apply different levels of access control policies and separation of traffic across the network, to keep data separate and as secure as possible.
- Article 32 of the GDPR specifically addresses the requirement for businesses to provide robust data security, when accessing and processing data. Businesses, across all sectors, must also ensure regular testing, assessing, and evaluation of the effectiveness of their technical and organisational measures for ensuring top-level data security.
- Explicit consent from individuals must be obtained to collect their personal data – guests must therefore be presented with a clear option to opt in during the connection process
- Any data held must be kept up to date and regularly reviewed for accuracy.
- Data should only be kept for as long as it is needed, for the reason it has been collected for.
- Any requests by individuals to update their data, be forgotten, or for disclosure of what is held about them, must be handled within one month of the initial request.
Data is at the core of most businesses that interact with the public and will continue to be for the foreseeable future, but just because data is stored electronically, it doesn’t mean it is safe and secure. With company and guest data constantly at risk, data protection therefore requires a succinct strategy to ensure data is protected.
What we can do?
It is not only your job to find the right vendor based on their unique offer and fit with your business, but also if they are PCI and GDPR compliant. Entire IT Solutions is such a company as we can provide customers Wi-Fi separate from the business and payment process Wi-Fi networks. Keeping the two separate means that different security policies can be applied in order to protect sensitive information.
To find out more about PCI & GDPR compliance
Call 0131 466 6886 and speak directly to a Wi-Fi Consultant about your compliance requirements in further detail. Alternatively, email us through our contact form and a member of our team will contact you the same day. your business.
