Develop plan to protect guests' information, belongings

Q. What are some tips to protect sensitive information from credit and debit transactions?

A. Consult with your card processor before making any changes to your point-of-sale system.

Build and maintain a secure network by using a POS system that complies with Visa's Payment Application Best Practices and Payment Card Industry Data Security Standards.

Protect cardholder data by storing only the portion of the customer's credit card data that is essential to your business, such as receipts and reports, in a secure area limited to authorized personnel only. Additionally, you should encrypt all transmissions across open, public networks. Encryption software is required for POS systems connected to the Internet for cardholder data transmission. Sensitive information, such as magnetic stripe data or card validation codes, should never be stored beyond what is required for business, legal or regulatory purposes.

Destroy all documents with obsolete transaction data that includes cardholder information. Each card association recommends a timeframe for retaining these kinds of documents.

Install and/or update your Internet firewall security on all computers and POS systems using IP connectivity—including those with dial-up Internet connections.

Implement access control measures. Only allow the most senior company officials to have access to cardholder data. Protect access by issuing user IDs and passwords and assigning access control rights through your network. Make sure everyone who will have access to cardholder data has had a background check performed and does not have a criminal record. Lastly, delete logons and update all company passwords when an employee leaves the company.

Regularly monitor and test your networks, and update your anti-virus software. This includes computers, POS systems and anything storing or processing cardholder data. Maintain tracking records to demonstrate your security systems and processes are tested and validated regularly.

Enforce an information security policy. Document and maintain an enforceable policy that addresses details of information security. All employees handling sensitive information should know and understand the rules.

Report card theft immediately. A rapid response minimizes your risk and protects your customers.

Special thanks to Dennis Carpenter, with Heartland Payment Systems, for the above information.

Q. What are some guidelines for innkeepers when installing an in-room safe?

A. Make sure there is careful, complete compliance with the Innkeeper Liability Statute in the state in which the inn is located. (Pay particular attention to the notification requirements, how many notices there are and where they must be located. Note: Notices in a drawer or closet do not equate to "conspicuous.")

The safe should be large enough to hold laptops.

If an electrical outlet is provided, make absolutely certain there is no risk of shock.

Ensure secure installation with hidden attachment apparatuses.

Retain as broad a warranty as possible from the safe provider on forced entry and/or removal of the safe itself.

Place the safe in a convenient location for guest access.

Provide sufficient lighting to read the directions and operate the safe.

Provide clear operating directions in appropriate languages for your guest base.

Implement a secure key or code control system.

Provide accessible safes for disabled guests.

If an additional fee is charged for the usage of the safe, be sure to clearly and accurately disclose the fee to the guest.

Unless specifically authorized to do so by your state, do not sell insurance or advise the guest that the fee is for insurance.

Establish a policy for changing the master code in a timely fashion when an employee with access to the master leaves the company for any reason, or any other time the confidentiality of the master code could have been compromised.

Install a hard-to-miss message asking the guest to leave the safe open upon departure.

Implement a checklist item for housekeepers to ensure the safe is open for the next guest, and if the safe is locked upon guest departure, to take appropriate steps to unlock the safe (contact security, advise g.m.) without compromising the master code or key.

Check with your insurance company for a potential premium discount.

An interrogation feature is preferred to allow tracking of historical usage.

If using mechanical key safes, use a high-level security key that cannot be duplicated and has an infinite number of key ways.

Special thanks to Stephen Barth, founder of HospitalityLawyer.com and the Hospitality Law Conference series, and professor at the Conrad N. Hilton College at the University of Houston.

Stephen Barth is an attorney and the founder of HospitalityLawyer.com and the annual Hospitality Law Conference series. He can be reached at (713) 963-8800 or sbarth@hospitalitylawyer.com.