HTNG Secure Payments Framework for Hospitality
Document now available! Click to view the document - (17 MB PDF, please be patient!)
See how leading hospitality security experts have outlined a solution for the industry!
Click image to open the 17 MB PDF
The hospitality industry is a prime target for payment card data thieves. According to the Trustwave SpiderLabs Global Security Report 2011, approximately 38% of all payment card data breaches occurred within the hotel sector.
The very nature of the hotel industry makes it particularly vulnerable. Hotels are unlike industries such as retail, where payment card data is often needed only for the duration of sale. Hotels must store payment cards for weeks and months for reservation guarantees. Additionally, payment card information is often provided to the hotel through a series of unrelated parties that are outside the control or influence of the hotel. As a result, solutions that are effective for retail and other industries have significant gaps when applied to hotels’ needs.
This document presents a framework of best practices and references standards that can be applied to reduce the risks and costs associated with handling payment card information for hotels. This framework was developed by a group of security experts from numerous hotel companies. The HTNG approach shifts the risk of handling payment data away from the hotel, replacing the data with “tokens.” These tokens are useless to cyber thieves. This approach dramatically improves security, and is aligned with the PCI Council’s best practices.
The HTNG framework builds on existing solutions from the payment industry and is consistent with approaches being pursued by most major hotel groups. However, it extends these efforts to cover gaps that are not addressed by existing commercial solutions, or indeed by even the most advanced hotel company.
The result allows hotels to complete the process of removing ALL payment card data from ALL of their systems, dramatically reducing the cost of PCI compliance. Because hotels have no obligation or reason to tell customers if a breach of useless data occurs, the cost and impact of remediation, and the effect on brand reputation, are minimized.
This framework creates new opportunities for payment solution providers to address critical industry needs by enhancing existing solutions or developing new ones. Opportunities include extending tokenization and vaulting services; providing new services to securely handle and route payment card data to and from external parties and systems (e.g. online travel agencies, central reservation systems, meeting planners); and developing secure stand-alone devices to allow hotels to safely view the actual payment card data associated with a token, when needed.
Additionally, the framework helps to educate and inform hoteliers about existing payment solutions that support elements of the framework, such as secure swipe terminals and tokenization services.
Links to HTNG Specifications Referenced in this Document:
Authorization, settlement, void, reversal, etc. using Tokens: the HTNG Payment Systems & Data Security - Payment Processing Specification 2.0 handles all basic lodging transactions.
The HTNG Payment Systems & Data Security - Data Proxy Specification 1.1 supports the creation, management and use of Tokens through a Tokenization Service that is independent of the Hotel Application Systems. In the Secure Payments Framework, Hotels will not need this information because they will never touch Payment Card Data, but their service providers may find the messages useful. In addition, Hotels may find them useful during a transitional period.
The HTNG Hosted Payment Capture Systems Specification 1.0 provides the means to collect payment information from a Customer on a hosted system. This messaging specification enables products to deliver secure, hosted solutions for the capture and processing of Payment Card Data, without exposing the underlying Hotel Application Systems to PCI scope. It can be used on Hotel Web Sites, in the Central Reservation Systems, or in a contact center’s Interactive Voice Response (IVR) System.
HTNG’s library of web services is most easily implemented using a common framework for message routing, reliability, security, error handling and other services not related to the message payload. The HTNG Property Web Services Specifications – Web Services Framework 2.1.1 (Part 1) provides this “plumbing” layer for connectivity. The SOAP-based WSF enables two systems to reliably exchange any XML messages (HTNG or proprietary), vastly simplifying the implementation of interfaces. The latest version also supports event subscription and notification across systems.
For questions/discussions about the Framework, HTNG members can visit HTNG's Discussion Board
Non-members of HTNG can direct questions through their relationships with major hotel brands, technology providers, and payment service providers who are HTNG members, or can apply to join HTNG here.
Media Inquiries Welcome
Bill Fallon at keating/co
212 925 6900 (o)
973 768 6764 (m)