Hotels account for nearly one in three cases of all credit card fraud. While the issue isn’t new, new technologies are presenting possible solutions.
But why is payment fraud so rampant in the hotel industry?
A spokesperson from a New Zealand bank blamed it on negligence on the part of hotels.
“It’s because the front desk doesn’t ever check the credit card against the owner. They’re more concerned with filling the rooms than anything else,” they said.
Factors such as heavy credit card use, high employee turnover, and all the distractions that come with travelling all play a role in the high rate of fraud, and technologies like digital check-ins are creating more avenues for fraudsters to get away with their crimes.
Right now, there are no secondary measures with credit cards in New Zealand. However, banks are trying to implement a two-step verification for credit card payments.
An example of this is if a guest left their credit card in Hawaii during a holiday and someone picked it up and tried to book a hotel room with it. The owner of the card would get a notification on their phone asking if it was them who made the payment, and they would have to verify the payment using either a fingerprint or other means of identification.
In New Zealand, however, that technology isn’t easy to set up. The framework for credit cards was all built back in the 1960s and 70s. Updating it and adding new features won’t happen overnight.
Another solution is using digital currencies, of which Bitcoin is the most widely used. While a lot of the attention around Bitcoin is centred on its speculative worth as a money-making tool, it also has unprecedented layers of security. With digital currencies, no payment information is shared between the merchant and the guest, and the traditional bank ledger framework from the 1960s is bypassed entirely.
However, digital currencies still don’t offer a solution to customer data being stolen online. When customers’ account data is stolen, fraudsters can log in to other people’s accounts, book a room using pre-saved credit card information or loyalty points. With digital check-ins, these guests would be able to bypass the check-in counter and steal a nights’ stay.
Payment technology provider, Payment Express, warned hotels against recklessly storing payment information.
"The best options for hospitality organisations to avoid incurring payment fraud is to avoid writing down, storing or manually processing payments. Instead, it’s recommended for online bookings to use authentication tools like 3D Secure which provide a high level of protection against fraud/chargebacks, and when taking payments on-site always use a payment terminal provider with the highest PCI certification available," said Daniel Favier, sales manager - e-commerce, Payment Express.
New Zealand payment terminal provider, Smartpay, acknowledged that as technology evolves, the fight against fraud is changing.
“With growing methods to collect payments and payment information it both helps and hinders security. The greater range of online payment options means fewer merchants need to do things like taking card details over the phone, and card tokenisation solutions can provide merchants with a better way to store client payment details,” said Natasha Ching, product manager, Smartpay.
Data breaches aren’t only expensive for the guests whose information is stolen, it also comes with significant costs to the hotel companies themselves. When information thieves hack hotel companies, hotels find themselves fighting all sorts of costly lawsuits related to damage liability and confidentiality. On top of that, the damage to the brand’s reputation is incalculable.
Just earlier this year, China’s biggest hotel operator, Huazhu Hotels had customer data from 130 million guests stolen when they accidentally uploaded part of their database to web hosting service GitHub. It was stolen by a hacker who attempted to sell the data on the dark web for NZ$80,000 worth of Bitcoin, which is untraceable for authorities. Huazhu’s stock price was immediately hurt by the hack, dropping over 20 percent on the NASDAQ exchange in the two weeks after news broke about the leak.
“Businesses that need to collect customers payment card information must ensure that they have good processes in place for safe handling, storage and disposal of that data. Access should be limited to staff who require this type of information and these people should be trained in processes of security breaches,” said Ching.
“Your best protection against payment card fraud is frontline staff understanding and vigilance.”
The blame doesn’t all fall on hotel workers though. Guests still need to hold some responsibility for their payment information.
“People still need to be smart about who they provide their card details to, and how they are being collected."
