Hotel Data Security — PCI Compliance and PII Security Explained

Hotel Data Security — PCI Compliance and PII Security Explained

by Mohammad Ziaee

The integration of technology in hotels is quickly becoming a popular standard in global hospitality thanks to growing guest demands. As it happens technology has proven to attract new guests, significantly reduce costs, and improve staff efficiency in hotels. The downside, however, is the threat to these hospitality technologies. 

With an array of digital touchpoints including POS, websites, local hotel databases, signage systems, robot concierges, mobile apps and other tech integrated into hotels comes increased risk. Prominent names including Marriott International, Hilton, Hyatt Hotels Corp., and Intercontinental Hotels Group have already been victim to massive cyberattacks compromising terabytes of sensitive guest data.

A sound cyber security infrastructure is now essential for hotels that deploy technologies across their properties. Kevin Davis Insurance mentions the three most common cyber security threats that hotels experience namely Point of Sale Attacks, Ransomware, Personal Information Theft over WIFI.

PCI (Payment Card Industry) Compliance Standards

PCI compliance standards are one of the most comprehensive and robust frameworks governing the security of guest payment data in hotels. Payment data theft affects the integrity of the global card payment ecosystem, as the official PCI security standards website establishes. So what exactly is PCI compliance?

A significant payment card data breach leads to loss of customer trust in banks, loss in merchant credibility & revenue, and the resulting liabilities for all parties involved. The standards ensure the greatest security when processing card payments and handling this data. 

Since 2006, the PCI security standard council has administered PCI-DSS compliance and management. PCI compliance is built on 12 rigorous guidelines to achieve 6 goals for highly secure payments.

Protection of P.I.I or Personally Identifiable Information

Today, hotels carry a mass of information about their guests, everything from names & addresses to their card payment information. The protection of this information is the responsibility of the hotel, as I mentioned earlier that theft of personal information is one of the most common cyber threats for hotels. 

Before we move onto the ramifications of losing such information, let’s quickly go over what exactly PII is.   

What is Personally Identifiable Information?

Personal Identifiable Information (PII) is defined as sensitive information that can be used to contact, identify, or locate a particular person. The US National Institute of Standards & Technology (NIST) define it as:

“… any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

Examples of personally identifiable information include:

  • Names (e.g. full name, maiden name, mother‘s maiden name, or aliases)
  • Personal identification numbers (e.g. social security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, and financial account or credit card numbers)  
  • Addresses (e.g. street address, office address, email address)
  • Asset information (e.g. Internet Protocol (IP), Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or a small well-defined group of people )
  • Telephone numbers (e.g. mobile, business, and personal numbers )
  • Personal characteristics (e.g. photographic image, x-rays, fingerprints, biometric images or template data (e.g., retina scan, voice signature, facial geometry))  
  • Information identifying personally owned property, such as vehicle registration number or title number and related information  
  • Information about an individual that is linked or linkable to one of the above (e.g. date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).

The Importance of Securing P.I.I.

Hotels are required to proactively protect this information and are bound to take security measures to secure it from unauthorized access, theft, and loss. Any compromise on personal information can lead to dire circumstances which can be both financial and reputational. Take the case of Marriott International’s massive data breach in November 2018. 

After the data of close to 500 million guests who had stayed at properties of the global hospitality giant since 2014 was breached and stolen the company is now facing multiple lawsuits. Irrespective of how the data was breached the financial consequences can be huge and can accompany severe reputation damages.

About the author

Mohammad Ziaee is the Director of Technology at Advanced Hospitality Technologies. He brings over 2 decades of experience in hospitality I.T. with expert knowledge offering insights on emerging trends and the future of hotel technology. 

The article was originally published at:


March 12, 2019

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Notify of

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013