I'm a competitive person, and a good way to get me motivated to do anything is to give me stakes. I need to beat someone, win something or reach a tangible goal. Well, on my first day at the Mystic Marriott (Conn.) for Hotel & Motel Management's In Your Shoes campaign, I have a goal.
I'm going to win an iPod.
Let me explain. The Mystic Marriott is a 285-room hotel operated by the Waterford Hotel Group, and in talking with GM Michael Allen, I quickly learned how much of an emphasis is placed on customer service and guest relations.
"The sales team gets [guests] in the door the first time," he said. "But the service is what gets them to come back."
The Mystic Marriott has a lot of selling points. It's really the only full-service, resort-like property in the area—complete with steak house, spa and more than 20,000 square feet of meeting space—and the Mystic area is a desirable location smack in the middle of the Northeast U.S. But, as Allen said, it's the service that will really make a difference in the end. And because of that, he created the position of guest services specialist, who is in charge of dealing with guest issues and improving guest services scores.
Lisa Buckley is the guest services specialist, and she's been on the job since October. After being appointed, she compiled a Top 10 list of problem areas in service and then worked to cross them off with the goal of raising the Marriott GSS score of the property to 85.
Earlier this year, Buckley organized a training session for all Mystic Marriott associates to address the Top 10 list and key areas in the GSS. Since that time, she has declared that Top 10 list conquered and is now at work to compile another list.
Some key changes she implemented include the Lobby Ambassador program, which designates staff members throughout the day to the lobby area to talk with guests, see if everything is OK, and hand them a special comment card. All of the comment cards turned in give Buckley another data point for customer feedback in order to know what issues the hotel needs to address.
"If a guest has any challenges during their stay, I'd like to make the recovery before they leave," Buckley said. A recovery is a big focus of the guest services specialist—taking problems head on and doing what's possible to smooth everything over.
What does this have to do with me winning an iPod? The best way to improve guest relations is to improve staff relations. A happy staff is a productive and friendly staff. And the Mystic staff is happy. The property has several programs in place to recognize outstanding employees and to encourage GSS score improvement. One of these is the Heard it Through the Grapevine program. Whenever an employee gets mentioned by name by a guest or another employee for doing a job above and beyond, they get a Heard it Through the Grapevine card. Each month, employees puts their cards in a drawing to win an iPod.
So basically, I've set my sights on getting a card before Friday in the hopes of winning an iPod. "Remember, that's Chris Crowell who just held the elevator door for you. Have a wonderful day!"
Tomorrow I'll be in laundry and housekeeping. Anyone who drops my name gets an extra mint on their pillow.
Follow Chris's adventures in real time on Twitter @HWN_Chris
As the last days of the show wrap, I’ve been getting mixed reviews on tradeshow floor traffic during HITEC 2010 at the Orange County Convention Center in Orlando. Some vendors are wildly impressed with the quantity and quality of prospective buyers. Others expected more attendees. After two days of parading the hall from one end to the other, one thing is for certain: my feet hurt.
At any rate, here are the top five trends I noted at HITEC 2010:
1. Cloud computing. Also known as software as a service or Web-based software, the ability to house servers, data and other infrastructure off-site is becoming increasingly popular with hoteliers. Why invest in clunky hardware and litter the basement with racks of unsightly servers when most of your daily operating applications can be hosted elsewhere and accessed on the Internet?
2. Integration. Over the past few years, hotel technology vendors have recognized that while offering an all-in-one system with myriad features may command the highest price point, it could lead to offering a product that lacks in certain areas. Therefore, creating partnerships with neighboring vendors and integrating with third-party tools has taken priority.
3. Mobile applications. Introducing mobile applications, especially mobile booking solutions, seemed to be the overriding trend at HITEC 2009. (See H&MM’s award-winning feature series, "Mobile Marketplace: A new business model in the palm of your hand," from July 2009).
Many vendors caught up in 2010 and flaunted flashy e-concierge applications available to the guest. Others are putting control in the hands of the property-level staff, offering applications that let the GM monitor daily data even when off property. But most vendors in 2010 moved away from simply building iPhone apps, recognizing the increasing popularity of the Droid platform. The most forward-thinking vendors have built software-based applications that can be implemented in the form of an iPhone app, iPad app, Droid app, browser-based application or software installed on the PC.
4. iPad applications. There are rumors floating around that an Indian company called Notion Ink soon will release a product called Adam that will make the iPad practically irrelevant (it runs on a much more open-sourced Google Android system, has Flash capability, 1080p resolution and an HDMI output). If this turns out to be true, Lord help the 50 percent of vendors at HITEC who spent countless hours and dollars in 2010 developing sleek iPad apps.
I’ll admit: anything that runs on an iPad looks cool. Forget those clunky little tabletop, bedside LCD screens that control the temperature and drapes; the iPad replaces those. Forget the front desk; have concierge staff greet guests at the door and check them in on an iPad that is capable of upselling, reserving tee times, collecting customer data and cutting keys.
One thing I learned at HITEC is that if you already have an iPhone app, you can’t simply edit the resolution in the source code and spit out an iPad app. It’s got to be redeveloped, and a multitude of hospitality vendors spent the past four months doing just that, adding more features along the way.
5. The “wow” factor. There are always those few products that may not be all that practical, or cost-effective, but are just simply sexy. HITEC 2010 had a handful.
A company called PSAV has teamed with DirecTV and was streaming the World Cup live in 3-D through electronic shutter glasses. I wasn’t sold on 3-DTV, but the picture was simply amazing; it literally felt like you were standing on the sidelines.
The Cybertecture Mirror was on display in Guestroom 20X, offering an interactive mirror that can display the time, temperature, local traffic, news and live television, among other things. Imagine waking up and skimming your Facebook page while brushing your teeth. Wirelessly connected to a scale, users were able to view their current height, weight, body mass index, as well as graphed data on how that health information is trending. Mirrors in hotel rooms can be synched with your mirror at home since data is kept in a cloud, and health information can even be shared with your physician.
Sometimes, all you have to do is ask.
For example, I met with Joe Long, CIO and EVP of development for Kimpton Hotels & Restaurants at the New York University International Hospitality Industry Investment Conference. He spoke on a variety of topics about his company, including:
• How they currently are working though a $140-million acquisition fund with three years remaining in their investment period.
• How a Hotel Palomar differs from a Hotel Monaco (A Palomar is more tailored and a Monaco is more whimsical). And how it’s easier design-wise to have these templates and formulas in place because “it’s not so easy to come up with new ideas and designs for every new hotel.”
• How Kimpton hotels have a greater success when open in a market with other Kimpton hotels.
• How a sizable chunk of their business is in third-party management.
• And how they are targeting Washington, D.C., Chicago and Denver as good Kimpton destinations.
At this point, because I’m always one step away from talking about Cleveland—H&MM’s home base and my favorite place on earth—I asked, half-joking, when Kimpton planned on putting a hotel in Cleveland.
That’s when Long said Cleveland wasn’t quite the market for a Kimpton Hotel, which are all four-star- and-above concepts. Clearly this bummed me out because I think Cleveland would be a great spot for a Kimpton.
But then he picked me back up, saying Kimpton is in the early idea stages of developing a 3 ½-star concept that would be specifically for markets like Cleveland. I’m not sure if he said this so I would feel better or because they actually are working on it, but be on the lookout secondary cities of the Midwest—you may be in line for a Kimpton hotel after all.
Orlando—Sometimes new hospitality technology products are launched that will truly revolutionize and streamline the way property-level employees go about their day-to-day activities. Other times, new technology products are simply really cool. If you can hit the mark in both areas, you’re destined for success.
It’s always fun gearing up for the Hospitality Industry Technology Expo and Conference and predicting which companies will introduce the best products. Product launches certainly follow trends; last year a slew of companies
introduced iPhone applications at HITEC and this year it looks as if many companies will be introducing iPad applications. Some will be flashy and eye-popping. The best ones will be revenue generators or help staff on the hotel floors perform their jobs more efficiently.
Here’s a sneak peek at some of the new, innovative products that will be introduced at the show:
— Alcatel-Lucent (booth #751) will demo the My IC Phone: the multimedia hub for guestrooms that enables guests to have instant access to a variety of hotel services, communication options, entertainment choices, room controls and Web applications, all through an intuitive, high-resolution touch-screen interface.
— Alloso Technologies (booth #1141) will unveil a business intelligence iPhone application. The app displays a comprehensive dashboard on an iPhone or iPod Touch that accesses real-time summary information for GMs, regional managers and executives. It includes key performance indicators, P&L data, budget comparisons, revenue segments, expenses, competitive set data and links to guest reviews.
— Aptech Systems (booth #723) is launching EV Lite and announcing its Next Generation Aptech Accounting Solution. EV Lite is a cost effective, Web-based financial reporting tool for operators who need daily performance reporting and automated multi-property data gathering. The system gathers and consolidates financial and other performance data from multiple hotels and delivers a wide variety of management reporting.
— Avaya (booth #661) will launch a hospitality technology platform to help hotels more effectively tailor in-room guest services by running interactive applications on a next-generation guestroom phone, which acts as a type of in-room media hub. Avaya Guest Media Hub features a touch-screen interface that allows guests to make phone calls, set alarms, get stock quotes, check the weather, make restaurant reservations and tee times and peruse the wine list.
— Cendyn (booth #931) will announce an eCRM suite — a one-platform tool for sales, guest preference tracking, follow up satisfaction survey and follow-on marketing. eCRM Suite is installed at The Breakers and is increasing the resort’s revenue through a better understanding of how to market more effectively to guests preferences.
— Flyte Systems (booth #651) is announcing FlytePad, its iPad-based airline information service. Flyte monitors which city you are in and sends airline flight information for the nearest airports so guest service staff can assist guests anywhere on property, even in the airport shuttle.
— hotel SystemsPro (booth #856) is launching its iPad Internet-based hotel ServicePro solution that lets operators create and monitor all property or hotel chain maintenance, service and guest service needs from one screen. It enables executive management review of required services that include scheduled maintenance, insurance renewals, health inspections, deep cleaning cycles and many other duties.
— Northwind-Maestro PMS (booth #523) will unveil ResWave direct website bookings using social media and mobile devices. The mobile-ready ResWave Booking Engine levels the playing field for independent operators by delivering a mobile-optimized marketing and booking experience to guests at a lower cost-per-reservation than third-party online travel sites.
— O’Rourke Hospitality Marketing (booth #1234) will introduce an iPhone app for hotels called Smartstay, a new ‘white label’ iPhone app that hotels can customize to represent their own brand. Hotels can enter hotel information, images, videos and news updates with a content-management system they can access online.
— Travel Tripper (booth #1326) will introduce RezTrip 2.0, a private-label online booking engine offering new ways to merchandise, price, package, up-sell and cross-sell. Flexible packaging options will result in guests booking more than just guestrooms and drive higher value reservations.
— VingCard Elsafe (booth #1017) will introduce a wireless online system offering benefits beyond wireless online electronic locks, which will have an impact on the efficiency at hotel properties to immediately improve the bottom line and positively influence the guest experience. Based on the success of VisionLine, VingCard Elsafe’s new wireless solution will provide a cost-effective, reliable solution.
— VTech (booth #451) will announce its entrance into the hospitality market, demonstrating its new product line dedicated to hospitality.
I’ll be spending a lot of time at HITEC bouncing from booth to booth, watching demos of how these new products work. I’ll certainly snap a lot of pictures and corral a lot of information, so stay tuned to our On the Road page for continuous HITEC coverage.
In any case—if I do nothing else at HITEC—my No. 1 priority is to sign up for as many iPad giveaways as possible. The following companies have announced they’ll be holding drawings in which the winners will receive an Apple iPad.
— Register to win a free Apple iPad or iPod nano when you speak with a representative of RCN Business Services (booth #1344).
— Visitors to the O’Rourke Hospitality Marketing booth (#1234) can enter to win an Apple iPad by filling out a raffle form, which can be downloaded from the Smartstay website. A drawing will be held at 11 a.m., June 24 at the booth, and the winner must be present.
— Northwind-Maestro PMS (booth #523) will give away an Apple iPad to booth visitors who test drive Maestro’s new ResWave Booking Engine on Facebook, Twitter or mobile.
— Revpar Guru is giving away an iPad to any revenue manager or hotel owner that signs up for the system, starting June 1, for a limited time. The iPad will allow revenue managers to access the Revpar Guru system's control panel from anywhere, enabling revenue managers to make rate changes, view up-to-the-minute statistics and graphs and monitor the performance of the automated system.
— Visit PrinterOn at booth #629 and get your Passport to Technology stamped for a chance to win an iPad. PrinterOn will be giving away two.
— Stop by ActiveResorts booth #509 for your chance to win an iPad.
— At booth #112, Movitas will be giving away three Apple nanos and an iPad. From HITEC, send a text message to 77950 with the message nano and your email address. You'll automatically be entered to win one of three nanos and you'll also receive an exclusive mobile entry form to enter to win the iPad. A video nano will be given away each day during HITEC and the winner of the iPad will be drawn from mobile web form entries at 1:30 p.m. Thursday. You must be present to win.
I had the pleasure of touring the new Trump SoHo New York this week. The property, which opened in April, is an impressive addition to the fashionable and artistic New York district.
The gleaming, 454-ft tower stands out in a neighborhood dominated by low- and mid-rise apartments and boutique hotels. But as substantial as it looks, the most amazing thing about this property is its very real intimacy inside. Instead of large, airy spaces, Rockwell Group opted to break the two-story lobby into digestible pieces—small areas where guests can separate themselves from the larger crowd.
“Rockwell used turn-of-the-last-century hotels as an inspiration and wanted to do a modern twist on it,” said Sharon Telesca Feurer, director of sales and marketing.
Designers emphasized the verticality of the lobby space with irregularly slotted screens that front some of the windows. Light coming through the louvers changes throughout the day, Telesca Feurer said, imparting different feels. Rich, raw walnut and oxidized steel give a dark, yet modern and elegant vibe. An LED glass chandelier is suspended next to the entrance—an object that Telesca Feurer described as the property’s lighthouse. That seems an understatement. During the evening hours, the light is a beacon, tempting people to come in and explore.
A beautiful library space with books by Taschen overlooks the lobby from the second floor, but a glass wall keeps most noise from intruding into the quiet, rich space. Although there are elements of the traditional dark library, guests will also be surprised by opposing floor-to-ceiling windows on one side of the room—which open so fully to the streetscape below that one could imagine a bit of vertigo setting in.
The 391 guestrooms, suites and penthouses are surprisingly large and thoughtfully designed. Excellent connectivity on the working desk showed that technology was not an afterthought here. A muted residential feel pervades, with Fendi Casa furnishings and custom bedding by Bellino. Sliding doors in the suites separate the bedroom from the living room. Brilliantly, a small half bath (in addition to the master bath) in the living area of some of the suites means that one could realistically hold business meetings without concern about colleagues invading the more private bedroom/bath space.
Views out the enormous windows are stunning, with a sight corridor down 6th Avenue all the way to Central Park, four miles in the distance. And Telesca Feurer stressed that the building’s verticality helps keep the intimacy in the floorplates, too—floors have a maximum of 12 rooms or suites.
Quattro Gastronomia Italiana, the property’s main restaurant, seats 160 and serves up Italian fare with an emphasis on cuisine from the northern part of the country. In a bit of a wink-and-nod moment, Rockwell incorporated Pompeii lava stone in the walls surrounding the restaurant. A second level of the restaurant can be reserved for groups or events.
The coming months will see the property finish its final touches. A meeting space on the 46th floor (with even more jaw-dropping vistas, to be sure) will be completed, as will the pool deck with bocce court and an 11,000 square-foot, bi-level spa. Design head Ivanka Trump returned from a trip to Turkey so impressed with the country’s hamam spa treatments, she used hamam as the inspiration for the Trump SoHo spa. Telesca Feurer claims that this will be the first “luxury hamam” spa experience in the U.S.
This property must have been a challenge for Donald Trump, who let go of creative control and allowed his three children, Donald Jr., Eric and Ivanka, to take the lead on the look and feel of the property. Far from the traditional gold-leaf luxury that some associate Trump with, this new hotel probably isn’t his personal style. But give him credit for letting the new generation show their style and outlook. If this property is any indication, Trump can sleep soundly, knowing that his brand is in good hands.
Let's get all of the context out of the way early: I've been with Hotel & Motel Management for two years; this was the first NYU conference I've attended, I'm only 26 years old; the 24-hour media cycle sometimes makes me believe some issues are worse than they really are.
Some may see my perspective on industry cycles and historic trends as naive. But I just want to make sure everyone isn't so ready to experience a V or a U (or any other letter that's positioned to inevitably turn upward), that they let their guard down for another turn in public sentiment.
(Oh, one other piece of contextual information—I'm a die-hard Cleveland sports fan. I'm genetically pre-disposed to have my guard up and to be pessimistic, even in the best of times. For example, when the Cavs were in the playoffs this year, all it took was one loss to the Boston Celtics before I sounded the alarm bells and packed in my optimism. I know it's silly, but, as always, this outlooked prevailed and my team lost again. No championships since 1964—can't argue with the numbers.)
So, what does this have to do with hospitality? At the very start of the first opening session at this year's NYU conference, producers showed a video montage of events from 2008 and 2009—of all the catastrophes that happened. The recession; the AIG effect; and Swine Flu to name the biggies. And then the montage turned to 2010, and the images were only positive. The montage reflected the climbing demand numbers, which reflected a majority of the sentiment among panelists and attendees: 2010 is looking good; the recovery is around the corner.
And it makes sense judging from past recessions. Everything moves in a cycle. We went down in 2008 and we're starting to recover now, so, inevitably, the trend just continues, until it peaks and then it goes back down. Cyclical. We're just all along for the ride.
I agree with using historic trends as guidance. If we don't learn from history, we're doomed to repeat it. Well, a lesson I've learned from history, as illustrated within this last decade, is crazy stuff happens when you aren't expecting it. For example, what really caused the industry to crash in 2008? It was an economic meltdown that many said was unpredictable (which also indicates it wasn't exactly cyclical because we all would have predicted it, right?)
The elephant in the room during the opening day of NYU, other than average daily rate numbers, is the lingering fear of the unknown. The problem is, there is still a lot happening outside of this industry that isn't positive.
Monty Bennett, CEO of Ashford Hospitality Trust, mentioned how the continued instability of certain financial markets (mainly Greece) can quickly spread to others markets (Greece is already spreading into Spain). And he said U.S. debt levels are not far off from those countries.
Andrew Cosslett, CEO of InterContinental Hotels Group, cautiously echoed these sentiments, saying: "If the Euro continues to be a problem, that again could be difficult."
Richard Kelleher, CEO of Pyramid Hotel Group, said we will "experience a V recovery … unless of course there is another terrorist attack." (Well, let's not forget there almost was one in Times Square recently. What would have happened had that bomb went off?)
Kelleher also was concerned about hotels in the West: The supply conditions in San Diego, the boycott in Arizona, the group business and supply concerns in Las Vegas—"the West has own set of conditions," he said.
Mark Hoplamazian, president and CRO of Hyatt Hotels Corp., mentioned two macro issues that could still hamper the recovery: unemployment and the housing crisis. (Lalia Rach quoted unemployment at 9.5 percent.) "Those macro issues actually have the most to do with consumer confidence," Hoplamazian said.
And referring to the recovery, he said, "These things are not measured in weeks or months, it's a longer duration."
Most of all, many people asked about the oil spill in the Gulf.
Anecdotally, David Kong, president and CEO of Best Western International, said since Friday, he's heard from individual owners in the Gulf Coast that they've had a tremendous amount of cancellations.
"They also said the number of bookings coming in has dropped significantly," he said.
Arne Sorenson, president and COO of Marriott International, mentioned how the photos of the animals covered in oil brought the tragedy home to a lot of people.
"As it gets further east and around the [Florida] Keys, the markets get bigger and bigger. And if it comes up the East coast, it gets that much more disconcerting," Sorenson said.
The oil spill is my main basis for this concern. As of now, that leak has not stopped. I've heard that every 10 days is another Exxon Valdez oil spill, with regards to the oil coming out of this current leak. To me, it's tough to get fully pumped about a U or a V recovery when there is literally another catastrophe still happening in this country, with no solid solution. Just dealing with our industry, the oil spewing out of the gulf could potentially affect summer vacation areas for years or generations to come.
And not even that, but just the fragility of the world economy in general leaves me uneasy. That montage that started this NYU conference showed a whole bunch of unfortunate incidents, and that was just within one year—last year. We didn't plan for those events or consequences; they just happened.
Obviously I wouldn't recommend playing by a strategy of constant fear. But I just suggest moving forward with an acknowledgment for the times we are in. There's still a lot happening across the globe that's worthy of being put into a depressing montage, no matter how high demand might be year over year for a few months.
Earlier this year I stayed at a Gaylord property for the first time. I’m a little ashamed to admit that, given the brand’s goliath status among convention hotels and resorts, but it’s the truth. On my shuttle ride from the Gaylord Palms to the Orlando airport on the morning of my departure, I tweeted that I had experienced the all-time best customer service of my professional career at this property. Seriously. No strings attached. Best, most natural, helpful customer service. Simple as that.
So it is with a keen eye that I have been following the fate of the Gaylord Opryland in Nashville, following the devastating Tennessee flooding earlier this month.
According to Smith Travel Research (which has its US headquarters in nearby Hendersonville, Tenn.), the Opryland’s 2,881 rooms account for 8 percent of the market’s total room inventory.
It’s easy to find news and photos that chronicle the hotel’s evacuation and flooding, and even stories of its recovery. Visit http://www.gaylordhotels.com/gaylord-opryland/ for current status reports and press releases about event rebookings and more. The Wall Street Journal has a news story here. Local news, photos and more are online at www.tennessean.com. Market recovery information from STR is here. You can even watch live video clips of the hotel filling with water on YouTube.
So of course I visited Facebook to round out my news gathering. And what a surprise. Gaylord spokeswoman Amy Atkinson tells me the property just recently launched its general Facebook page, but what I found first was the Careers at Gaylord Opryland Hotel & Convention Center page, designed as a portal to post job openings.
So what’s the message here? The people who leave comments on this page (the majority are past guests, not potential employees) aren’t doing active cleanup on the property. They probably haven’t donated money to relief efforts. They simply are showing their support through a channel that wasn’t even set up intentionally for guest comments.
The hotel will recover. It will clean up, rebuild and restore. It will find alternatives for the thousands of conference and wedding guests displaced by the events. It’ll be an expensive and time-consuming effort, but it will happen. And when it does, I don’t think they’ll have to spend too much money to get guests back in the doors.
The image at the top of this post (click on it to download the full PDF) is a great example of the circle of goodwill that resonates among the Gaylord's guests and staff and community. It's an ad, placed by Gaylord Entertainment, in the Tennessean, and the text reads:
In the past week, we have experienced a natural disaster of epic proportions, with the
Grand Ole Opry House and Gaylord Opryland Resort taking the brunt of the blow.
The flood waters may have damaged our physical surroundings, but they have certainly
not drenched the care and compassion of this great community. And as the waters recede,
they will continue to reveal the stories of friends helping one another, neighbors helping
neighbors, and the undying love of this legendary city.
Gaylord Entertainment would like to express special thanks to our STARS (employees),
business partners, and all the hard work of our neighbors in the greater Nashville
area. We are not only committed to rebuilding our buildings but also to helping
lead a revival of our community. Our city and our company will emerge better and
stronger. Indeed, the challenge will define us in the way it unites us all. Because,
after all, as Mother Maybelle Carter sang in her iconic, inspiring musical tribute,
The Circle will remain “Unbroken…by and by, Lord, by and by.”
Sometimes I’m in a situation where II often have to give a short summary about summarize the Payment Card Industry Data Security Standard assessment process. PCI DSS is set of 12 requirements all businesses that takeaccept and process credit cards have to follow. The PCI DSS requirements are ultimately intended to help businesses take steps to protect their data and customers’ data on networks, Point-of-Sale systems and in other areas.
Given that descriptions of these requirements alone fill up books, not to mention all of the other print and online references resourcesavailable, this ends up being a difficult task. It’s is like summarizing the history of Wwestern civilization in five sentences or less. After you say that it started with the Greeks, it gets complicated.
But I have found that there are some concise things that can be said aboutareas that, if well-understood, will help businesses get through the compliance process. Of all the things toIf there were just a few things to remember out of all of this, it would be to take away these itemshere are the key takeaways when trying to understand assessments:
• PCI DSS Aassessment is not an audit
• The objective is to be compliant. It’s not like horseshoes; “close enough” doesn’t count
• Prepare for the assessment. The questions to the test are already known in advance like you would the SAT or GMAT.
• PCI DSS asks for two things: security and accountability
It’s not an audit
First, always remember that the PCI DSS assessment is notn’t an audit. It is a process to help get businesses in compliance with the requirements, and be for those businesses to be able to show that compliance to both your acquiring banks and the credit card brands.
Audits infer passing a test. Businesses validating compliance have to understand that they must maintain their compliance all year. It does not end when the assessor leaves.
Compliance is the objective
The objective of every assessment is compliance. Unlike an audit, where problems are identified and corrected for the next audit, each PCI DSS assessment stands on its own. The goal at the end of the assessment is for the business to be compliant. So, for some businesses, that means there will be a remediation phase as part of the assessment. After that, when any problems have been corrected, re-assessments are done regularly to validate compliance.
Prepare for the assessment
Preparation is key to any project and PCI DSS is no different. Fortunately, because PCI DSS is a well-published standard, like the SAT or GMAT, you can find out exactly what the tests will be in advance. If you are going to be assessed by a third party, it is good to do some self-assessment ahead of time and have any evidence prepared for the assessors when they begin their work. Don’t be afraid that you are giving work that will be turned down. The assessor will appreciate any information that you can share in advance.
Also, many folks have a common reaction to an audit interview. They often take the Perry Mason approach and don’t answer questions unless asked, and only answer what is asked.
Don’t’ do that! The assessor will need every bit of relevant information necessary to validate compliance. Sometimes, more information is needed. I remember so many times lookinghave looked at a control many times and thinkingthought, on first impression, that it might not be compliant. Then I find out more information about itBut when I receive more information about the control, or about another process associated with it, and realize tI have found that it is compliant.
Two Words: Security and Accountability
If you ever saw the movie, “The Graduate”, then you probably remember the signature scene where Dustin Hoffman’s character is taken aside by one of his father’s friends and he gives him this one word piece of advice, “Plastics”.
Well, okay, I have two words insteadThe two words that are most important to keep in mind during assessments: security and accountability. I know they don’t have as much cachet and bounce as “Plastics”, but they will have to do here.
Security and aAccountability are the hallmarks of the PCI DSS requirements. If you look over all of the requirements, it is easy to see that each of them relate either to one or the other or both characteristicssecurity, accountability or both. Knowing this makes it easier to see understand the objective of the requirements and what needs to be addressed within your business.
This just hits some of theThese highlights of PCI DSS assessments are those that you might may not find in any book or wwebsite. But hopefully , these ideas will give you now have a notion on how to get ready and go through the PCI DSS assessment. PCI DSS did not start with the Greeks and the history of Western civilization, and so perhaps it doesn’t have to be as complicated, either.
Credit card security is everyone’s responsibility. If you’re accepting credit-card payments over the phone, on site or via the Web, you have an obligation to protect your customers—and yourself—from data theft.
Many hotel and motel operators believe that their credit card activity falls “below the radar,” either because of their small transaction volume or because they don’t store credit card data. In fact, hotels are as vulnerable as restaurants, small grocery stores or any other small-to-medium merchant. Hackers regularly search out businesses like yours. They may either operate “in the blind” over the Web, looking for open data ports through which they might ultimately breach a payment network, or they may specifically target a particular merchant.
No one is immune—and that’s why PCI compliance is so important. While there are a number of elements to establishing credit card/IT security, here are some of the most critical:
• Properly configure firewalls. First, ensure that you have a firewall, and then ensure that it is properly configured. What many merchants don’t realize is that firewalls are meant not only to prevent things from getting in, but also from getting out. Make sure your firewalls also are configured to segment your payment application from other business activities. This way you can configure your payment application to only transmit out to your payment processor.
• Protect against unwanted remote access. Allowing remote access to your network is often a necessity. If that is the case, ensure that remote access can only be accomplished with two-factor authentication. For example, require a complex, individual password and have someone onsite at your business enable the connection. Don’t use default IDs/passwords; select new (complex) ones and ensure that all users have their own individual authentication credentials. Also, remote access (using pcAnywhere, VNC, LogMeIn, etc.) should only be used by authorized employees.
• Ensure strong encryption of stored cardholder data. By encrypting all stored credit-card data, you increase the likelihood that if an attacker gets into your cardholder environment, the data they may steal will likely be unusable.
• Stay current with patches and updates. Make sure your operating systems, your applications and all your anti-virus and anti-spyware services are up to date.
Contrary to what many small businesses believe, PCI compliance is not optional. It is both mandated by your acquiring financial institution and enforced by the major payment brands (Visa, MasterCard, American Express, Discover and JCB).
The kind of compliance you are required to meet is determined by your financial institution and defined by the number of credit-card transactions under your merchant ID. Generally, individual properties must furnish and submit an annual Self-Assessment Questionnaire and a quarterly network vulnerability scan must be completed by an ASV. Scans should also be done any time changes are made in your system—for example, after changing Internet service providers, applying updates or adding/changing point-of-sale terminals.
If your institution tells you that an annual SAQ and quarterly scan is sufficient, go to the PCI Security Standards Council website (www.pcisecuritystandards.org) and download a copy. A list of ASVs is available on the site as well. Remember, compliance is not a one-time activity, nor is it accomplished by a single fix. IT security requires a layered approach. Assessment and testing covers only a single point in time; you can be compliant now and not later. Routine security maintenance is required in order to preserve PCI compliance and ensure that you and your guests remain protected.
Sometimes highly technical subjects, to the average layperson, are easy to gloss over and dismiss. If I can’t immediately process how something works, it’s easy to toss it on the backburner and move on to something more manageable.
Personal data, security breaches, Web-based hacking and payment card information are those kind of topics. But it’s important that we not overlook protecting personal data and instead focus on doing the most we can to keep it out of the wrong hands. It’s critically important for hotel owners, management companies, technology vendors and property-level staff to do all they can to keep guests’ data secure.
Trustwave’s report earlier this year that the hotel industry experienced the most security breaches of any other industry in 2009 should serve as a wake-up call. As a frequent traveler, the report got my attention and it’s something I think about each and every time I hand my credit card over to the front-desk clerk. As an editor, it jumped out as a topic that needs exploring; a problem that needs brought to the forefront.
It turns out there are many organizations taking action. The Payment Card Industry Security Standards Council has made its mission to ensure merchants and vendors comply with regulations that aim to keep hackers away from personal data files. The PCI SSC outlined a 12-step checklist that covers the basics of protection. Visa has adopted the 12 steps of compliance and is mandating its merchants comply with them by July 1; other credit card brands have similar deadlines. There is no PCI Police—Visa won’t be sending an inspector door to door to make sure your hotel is compliant—but if your property is breached and it turns out you didn’t take the necessary steps, the financial implications alone will be crippling.
Some of the steps are extensive; the best protection from hackers will require proactive financial investments. Point-of-sale systems should run on a dedicated server, for instance. But some precautions are simple steps we take at home on our personal desktops: tips like changing your passwords frequently, updating anti-virus software regularly, restricting unnecessary access to credit card data files and simply taking the time to learn every portal through which a guests’ credit card information passes in your system.
The mountain of information and available data, as well as the importance of safety and security, led Hotel & Motel Management to create a weeklong series on PCI compliance. With the series that will run throughout this week, we hope to help you create a more data-secure environment at your hotel as well as comply with Visa’s standards in time for the looming deadline. We enlisted the help of some of the best security experts as well as technology vendors who have been through the PCI SSC assessment process. The week will culminate with a free Live Chat at 2 p.m. ET Friday, where experts will be available to answer your questions on how you can better guard guest data and become PCI compliant. More information on the Live Chat is available here.
Reproduction in whole or part is prohibited.