HTNG Members Delaware North and Springer-Miller Partner Up to Develop a Solution to Guest Data
Case study: Working together to protect guest data
Delaware North and PAR Springer-Miller are collaborating to implement an HTNG workgroup standard for encrypting and transmitting guests’ personal financial data.
Announcements from Fortune 500 companies regarding a breach of their data communication systems have become so regular that today’s consumers are no longer shocked. What was once an alarming notification that triggered financial panic has become almost commonplace. But just because data breaches are occurring more frequently does not belittle the effect of their consequences. Data breaches today are a real and present danger, and to this point it seems we’ve been unable to slow them down.
The fragmentation of the hotel industry—which collects guest credit card information on more than a billion transactions a year—has made hotels an easy and high-profile target. Personal information collected by one supplier’s hardware may be sent through another supplier’s system before being stored in a third supplier’s database. Therefore, over the past few years, various system providers have come together to make guest privacy and data security top priorities.
One particular example is currently underway. Delaware North, which owns or operates 20 hotels and resorts, is working with several of its technology providers to identify a standard code by which personal guest data will be transmitted and stored. The following case study outlines the business problem and the end goal, with specifics on how the goal will be accomplished and details on the players involved in solving one of today’s trickiest challenges.
Business problem: Erase gaps in data security
- Breaches cast hotels in negative light
- Why hotels are an easy target
- Various systems must interpret the same data
The hotel industry is a prime target for hackers looking to gain access to sensitive personal data. In the past five years, the industry has seen cyber criminals steal customer or employee personal information, including credit card account numbers, bank account codes, social security numbers, e-mail addresses and other items useful in carrying out identity theft.
Why are hotels targeted? A few reasons: Hotels transact a large amount of business through credit and debit card swipes, and payment card fraud is a common type of identity theft. Because hotels must transmit data across multiple systems—often times from the individual hotel to the credit-card processer to the management company to the hotel brand and back—the data needs to be read and understood by each of those systems, and therefore encrypting the data provides communication challenges.
For example, when Joe Smith checks in to his hotel, his credit card is commonly swiped at a front desk kiosk so that Mr. Smith can be charged for any incidentals at the end of his stay. His card is authorized and the personal data from his card needs to be stored in the property management system so it can be charged later if need be. If the front desk kiosk and the PMS are not operating under the same standard, that information is not easily encrypted and can be open and available to outside parties, including hackers.
Solution in progress
- HTNG promotes collaboration
- Tokenization is the first step
- Future standards will be available to everyone
To best tackle the problem, Delaware North and its technology providers are working extensively with Hotel Technology Next Generation, a global trade association made up of hotel IT executives that fosters collaboration among hoteliers and technology providers. In 2010, HTNG developed a workgroup centered on creating a payment integration standard between a hotel’s property management system and its payment gateway. Many PMS providers will be affected, but Delaware North is working predominantly with Stowe, Vermont-based PAR Springer-Miller Systems, supplier of the ATRIO® and SMS|Host property management software solutions, which is also well represented in HTNG’s payment standard workgroup.
Both the hotel managers and software providers are working together to define what data needs to be exchanged and how to best communicate it. Developers are discussing the pertinent information needed to satisfy requests from one system to the next (credit card numbers, cardholder names, expiration dates, etc.).
One step of the solution that will be implemented is tokenization, which is the process of converting credit card numbers to a data proxy. This token is stored in business systems and thus removes the liability of storing cardholder data in the property management or point-of-sale systems. Tokenization in the hotel space is a relatively new concept (the first major hotel chain implemented tokenization in 2007), and one that HTNG has adopted and endorsed and the basis of the industry’s card data protection solution.
As the industry takes action to keep its customers’ information safe and secure, the HTNG standard message set adapted by PMS and POS systems, in conjunction with a token vault, would allow a company to reduce their risk by utilizing tokens and reducing Payment Card Industry Data Security Standard requirements. If the token is the same across systems, robust reporting from the PMS or POS where the token resides would allow a company to correlate sales information and customer profiles in a safe and PCI compliant manner.
- Adoption is a long process
- PSMS expects 2016 API rollout
- Standards benefit the end user
Although the payment security standard has been established, hurdles remain in getting it adopted and built by various vendors throughout the industry. PAR Springer-Miller, for example, is in the process of building to the HTNG payment specs and hopes to roll it out in 2016. Other vendors will surely follow suit.
For hotels, having a standard for integration allows them to shop for best-in-breed services. If two software solutions are using a standard protocol to communicate hotels can switch from one provider to another without risking loss of functionality or gaps in data security.
Once the HTNG spec is adopted by a large number of providers, hotels will be that much closer to ensuring their guest data is protected to the fullest extent.
Sidebar: Additional benefits to integration
Before HTNG, property management providers often wrote interfaces to every point-of-sale system on the market. Each vendor had their own way of communicating and code was written to accommodate all of the various players.
Now, HTNG develops the API and vendors such as PAR Springer-Miller write to it. Instead of a development effort, it becomes a certification project, and if new players want to integrate they must pass the certification process.
Building a standard specification is no small feat for hotel technology providers. It takes away from developers’ main duties and therefore must come with some tangible ROI. Part of the value to building standards is that vendors can write once and then use the API in many different places. Once the interface is built, its standard practice for vendors to ask other technology providers that wish to integrate to build and adopt the same standard. This opens up the number of partners a technology provider can have throughout the industry.
Whether or not a technology provider is an HTNG member or involved in a workgroup, all companies could benefit from the creation of the standard. Once a standard is derived, various technology system providers can retrieve the technical specifications from HTNG’s website free of charge and adopt them so that they can communicate across a common platform and integrate seamlessly with other technologies. For example, restaurants, spas and golf operations within the hotel will be able to deploy systems that adopt the standards, such as payment processing or guest self-service, single guest itinerary, point of sale, guestroom status and many others. Business intelligence, revenue management, channel management and distribution systems are all able to adopt standards that will ensure their integration will be secure, feature-rich and seamless.
“When you look at it historically, integration has evolved incredibly. Before HTNG, two companies would sit down and spend months developing an API and then many
more months building it. Now that we’ve got standards, you grab the specifications and you’re in building mode rather quickly.”
-- Chris Donahue, senior product manager, PAR Springer-Miller Systems
“Some of the workgroups have created a solution for something that isn’t even a problem yet.”
-- Joe Rembold, solutions architect, Delaware North
HTNG Member Works With Hoteliers to Improve Guest Entertainment
Company Name: SONIFI Solutions
Author: Joel Zdepski, CTO/Chief Architect at SONIFI Solutions
Co-Authors: Bob Combie, VP Asset Management, Sunstone Hotels
Donald O'Grady, VP Technology at Kimpton Hotels & Restaurants
Bernard Poncelet, Vice President, Business Development at Single Digits.
Hotel Location(s): Hyatt Regency San Francisco and Sir Francis Drake (San Francisco)
Participating HTNG Vendors: SONIFI Solutions
Describe the situation. What was implemented at the hotel?
SONIFI and its hotel partners recognized an opportunity to change the manner in which guest entertainment is delivered within the guest room by leveraging technologies that are gaining rapid adoption in the consumer marketplace. While it is nearly impossible to characterize the expectations of the “average” hotel guest today, we do know that at home one has the ability to create an entertainment environment that meets their personal taste. Hoteliers understand they need to dramatically improve guest in-room entertainment and create a home-away-from-home experience, but they are in the increasingly difficult position of needing to anticipate what delivery mechanism provides the widest set of desired services with a manageable cost of ownership. SONIFI and partners had four key objectives:
1. Free the hotelier of the burden to pick content application winners by building a solution that would leverage consumer hardware and applications with which guests are familiar.
2. Ensure the solution could evolve rapidly and not become stagnant by leveraging the eco- system on media and technology application development.
3. Keep the guest in control of personal information and ensure guests of security without requiring overly complex systems.
4. Ensure as broad appeal as possible with a solution that will be agnostic to the devices carried by hotel guests, particularly iOS and Android independent.
The Consumer Electronics industry has offered a variety of hardware devices in the form of set-top boxes (STB), media servers, software media players and small media “sticks” to view the expanding set of content available to consumers. SONIFI provides solutions to view over-the-top (OTT) content through three architecture options: STB, Smart TV, and its new service called SoniCast.
There has been a rapid expansion of streaming media services on the internet which are commonly referred to as “over the top” (OTT) services which the user can access through their internet service independent of the provider of internet access. These services are increasingly accessible through mobile devices. Content can be enjoyed on the mobile device, or increasingly “cast” to a TV screen with a variety of technologies. Google Cast is a leading technology for this application, provided with chromecast.
The OTT applications enables the user to find and enjoy relevant content through intuitive interfaces that are increasingly feature rich. They often include personalization and convenience features that rely on personal information such as viewing history and preferences. Guests may be hesitant to log in with the Smart TV or STB apps because they enter their credentials into the hotel-provided device to access their OTT accounts. Consumer devices do not have the enterprise management features needed in a hospitality setting that would allow for clearing this personal data. Therefore, it is left to hospitality technology vendors and system integrators to add value by implementing solutions to fill this need.
SONIFI’s SoniCast solution offers a more integrated and secure guest experience than other solutions. At its core are Google Chromecast devices managed by the SoniCast Network Controller (SNC). This choice meets the desire for low cost, a robust application development ecosystem and safeguarding guests’ personal information which resides exclusively on their personal devices. A wired or wireless Chromecast device is installed in each guest room encapsulated in a tamper and theft resistant enclosure. It is inserted into the HDMI port of the commercial TV and is powered by the TV USB port, or with a power plug in the rare occasion that the TV does not have a powered USB connection. The SNC is a network appliance consisting of commodity server computing and networking hardware in a 1-U rack- mountable enclosure. The system is Linux based running SONIFI’s proprietary application software. The solution also contains a web services application programming interface (API) as an integration point for on or off-property guest internet provisioning system and/or property management system (PMS).
To use, guests simply connect to the hotel Wi-Fi, pair their phones or tablets to the SoniCast service, then authenticate and interact using their own devices. (See Figure 1). As a result, casting via SoniCast does not require a guest to log into hotel-provided devices, keeping personal information on their personal devices. SoniCast continues to evolve to make the casting experience more similar to the guest in-home experience by automatically pairing the guest device. Alternatively, in properties where SONIFI integrates directly with the hotel property management system, guests could enter a simple code.
Figure 1: An example graphic displaying the television and guest device casting
What HTNG standards were utilized with this success story, and how were those standards used at this property (benefit to the hotel, time frame to installation, cross-vendor participation)?
HTNG standards and participation were instrumental in the SoniCast implementation. The design of the SNC web services API is meant to integrate with PMS interfaces compliant with the HTNG specification “Guest & Room Status Messaging Specification 20011B”. This specification is the key standard to allow disparate systems to react appropriately to guest Check-in and Check-out. The SoniCast system allows casting only with a legitimately checked-in room for guest devices.
Our experience is that installations are very quick. They required the hotels’ guest internet access (GIA) providers to make simple changes to the existing configuration to allow our SNC to function. Hotels’ IT teams prepared networking ports within their switches. On separate installations, guest internet operating services companies Single Digits (HQ: New Hampshire) and DCI – Design Communications LLC (HQ: Syosset NY) prepared the GIA distribution plant for the install, and at one site a quick consultation with HTNG member Ruckus proved invaluable. Systems are remotely monitored from SONIFI’s Sioux Falls based network operations center (NOC). Installations were completed on time and on budget.
How did HTNG participation improve the project (product compatibility, contacts, ease of integration)? Please include any measurable metrics supporting your statement.
HTNG participation has been valuable to SONIFI throughout its history. SONIFI participates in all the HTNG workgroups relevant to its business. The Personal Area Network (PAN) workgroup was a forum for identifying the importance of network isolation and utilization of hotel or guest-provided technologies. In the end, SONIFI focused on a more narrow solution than providing a generic PAN in the guestroom. HTNG group participation improved the project because it framed issues and pitfalls, ultimately focusing project scope and improving integration. Further, HTNG standards give SONIFI confidence that future installs will not require new development. A variety of technologies are in development in the consumer electronics and networking industries for the type of device isolation required to enable the use-case presented in this paper. As the PAN continues its work documenting best practices with respect to these technologies they can make a valuable contribution to the hospitality industry.
How has the project affected the guest or operational experience?
Hyatt Regency San Francisco launched the SoniCast service to 50+ guest rooms in December, 2015 and Sir Francis Drake launched the service to 60+ rooms in January 2016. The technical trials have been in continuous operation since installation.
Guest experience has been enhanced in two ways. Guests are not limited to only those applications typically found on commercial STBs and Smart TVs; guests can stream content from any of the Google Cast1 capable applications on the web2. Regardless of which OTT casting application is used, the guest has not been required to enter account information into a hotel provisioned Google Chromecast, nor has the hotel needed to test and verify that user credentials are deleted at the end of the stay.
1 A growing list of cast capable applications can be found at www.google.com/chromecast.
2 Availability may dependent on regional content right. This is not a fact unique to casting.
While these implementations are relatively recent, the real-world usage aligns with our expectations of how guests would react to a platform giving them significant entertainment choices. To date 62 different applications have been accessed illustrating how interested guests are in utilizing a system that enables them to recreate an in-home experience in their hotel room. Figure 2 shows the relative frequency of applications used to date, as well as categorizing them by the type of application. The largest usage – measured by sessions and hours watched – are portals to exclusive and curated content which are cast-capable such as HuluTM and NetflixTM along with user-generated content on YouTubeTM. Increasingly, premium channels provide a casting option using authenticated credentials from a guest’s home television subscription to stream both catch-up and live content from channels that may not be available in a particular hotel’s FTG lineup; both HBO GO and SHOWTIME ANYTIME are examples. Personal pictures and movies can be cast directly from their device or from personal web portals such as Google Photos. A final application type that are being used with SoniCast are home personal media servers such as “Plex” that stream content to the hotel directly the guests home. The application eco- system is also rich with browser based appications which allow a guest to still enjoy casting content from websites which do not yet have a cast capable application. So far, 10 such different applications have been used with SoniCast.
Figure 2: Relative frequency of OTT applications used by guests to data
Figure 3: Types of applications used by guests to data
While these implementations are relatively recent, Hyatt Regency San Francisco and Sir Francis Drake are pleased to already have anecdotal reports of guest satisfaction and confidence. Both hotels have indicated their satisfaction with the implementations and intentions to make the technology a part of their differentiated guest experience if our initial successes are sustained. During the drafting of this paper, Hyatt Regency San Francisco progressed to full deployment to all 804 guest rooms, making it the first large hotel in the world with 100% of guest rooms enabled with Google Cast technology.