Understanding the security risks of your hotel’s PMS data hosting environment
By Warren Dehan
Data security has come under greater scrutiny for all businesses in recent years, with larger fines and penalties being awarded for contemporary data breaches. This issue is only compounding as digital transactions take precedence over physical exchanges, and third-party partnerships become more important to maintain operations. Choosing the right partner and hosting environment for your property can be complicated, but the property-management system (PMS) selected will play a critical role in securing your confidential data.
Protecting your guests’ data is equally important as preserving their physical safety, but confusion still abounds regarding hoteliers’ level of responsibility for protecting guest data. It’s easy to understand why, with multiple ways to host and access the servers containing this data and the way this intersects with third parties.
There are two components of the puzzle: the booking engine used by hotels and the actual PMS. Since guest data can be self-hosted by hotels, managed on-property by a third party or handled entirely off-site, it’s up to hoteliers to decide what works best for their property. Understanding how your hotel accesses and stores guest data is key to understanding their liability in relation to that data.
Hosting your hotel’s online booking engine comes with an extensive investment into web server technology, as well as a great deal of local IT management requirements. For that reason, many hoteliers have chosen to work with third parties to host their booking engine off-site. However, even if your hotel’s data is out of sight, it is a hotel’s responsibility to keep its data partners accountable.
Is the data center equipped with proper heating and ventilation? When was the last time the facilities were inspected? What data security handling certifications do they maintain? How forthcoming is the data center with this information? These are important factors all businesses should know about their data storage, and it is necessary to do your due diligence to be certain your guests’ data is in good hands.
To stay informed on the status of your property’s data storage, operators should become familiar with the management at work in their hosting facility. Request information on the hosting facility’s certifications for GDPR, PCA, SOC 2 and others. It will also be useful for learning who oversees rolling updates out to your hotel’s machines, as well as firewall rules, antivirus requirements and more.
Forming relationships with your network administrator is key because every partnership in this arena is unique. Depending on the agreement, data storage and security for hotels could be mostly automated, or hotels could be expected to manage several processes on their own. In some cases, hotels are expected to source out their own data center and manage it themselves—though this is not desirable without a proper IT infrastructure and team at the property or corporate level. With such a range of services available, operators need to be certain they know who is doing what, from backing up information to the day-to-day management of database servers.
No matter how a hotel stores its data, operators will always be liable for securing it on some level. This is particularly true for PCI compliance, as hotels still physically handle credit cards properly and store guests’ card data locally. Partnerships of any kind also do not absolve hotel operators from managing their local network. This is important because hotels have many devices that share printing, internet connections, email, Bluetooth and more. Operators must know where their partners’ liability ends and theirs begins.
For example, data services have tenants, like the housing market, and it pays to know if you have neighbors or not. Businesses have the option to invest in either a dedicated or open hosting environment, with benefits and drawbacks to both. Dedicated hosts allow for updates to roll out in coordination with operators’ decisions, keeping it autonomous and allowing for proper scheduling and preparation.
The other option, where multiple businesses share a single server host and single application instance, is a more hands-off proposition but it comes with its own surprises. Hotels using these hosts may have fewer concerns when it comes to managing their IT, upgrade scheduling or shared data storage, but when an update is rolled out by the host, it is done to every company on the shared server environment, whether your property is prepared for it or not. Surprise updates such as these can potentially impact operations or other aspects of your business.
In general, hosted environments, whether multi-tenanted or dedicated, reduce some of the operational load of your IT team in various ways, dependent on the level of interaction coming from your data partner. A fully managed implementation could absolve hoteliers from overseeing updates, watching alerts for threat monitoring and more. These systems also give operators the benefit of accessing their systems from anywhere, often through and ideally via browser-based user interfaces.
Every property’s needs are unique, but the PMS you choose needs to be able to support your hotel’s business goals. The hosting environment for your PMS and guests’ data should provide you with confidence through open and clear communication, vendor commitment and choice of options that best suit your specific independent needs. Once you understand your hotel’s liability burden, operators are free to focus on their mission of serving guests.
Warren Dehan is the president of Maestro, a cloud and on-premises PMS solution for independent hotels, luxury resorts, conference centers, vacation rentals and multi-property groups.
This is a contributed piece to Hotel Business, authored by an industry professional. The thoughts expressed are the perspective of the bylined individual.