Payment Security: Does the Hospitality Industry Need to Improve Customer Data Measures?

Accepting fast payments has, after all, always been crucial in hospitality businesses. If there’s a long line – in a cafe, a pub, or a restaurant, for example – customers need to be able to pay quickly and securely.

Quickly – and securely.

The advent (and continuing evolution) of contactless technology has ticked the first box. Customers are able to purchase a coffee, beer, or wine at the point of sale in mere milliseconds – seamlessly, and with just the flick of a wrist. Yet the big question remains – how secure is it?

Below, we’ll examine the state of payment security in the hospitality industry. How do payments at the point of sale work – and how safe are they, really? 

Moreover, does the hospitality industry need to improve how it handles sensitive customer data? And, if so…how?

The State of Payments in the Hospitality Industry

Let’s start by acknowledging the obvious – the hospitality industry is extremely reliant on debit and credit card payments. 

Even before COVID-19, these types of payments were popular for their convenience and speed. But since the pandemic’s onset, their hygienic qualities (unlike cash, there’s no hand-to-hand contact to encourage the transmission of viruses) have seen them become the most popular way to pay.

But for the hospitality industry in particular, the benefits of contactless are particularly clear. With contactless card readers, servers can take the payment directly to the customer – rather than being restricted to the bar or counter.

What’s more, people spend more when they pay with a card. One 2021 survey suggested that non-cash payments were 73 percent higher than cash payments – good news for bar and restaurant owners! By accepting card payments, hospitality businesses can also utilize other (also COVID-friendly!) ways of settling the bill: including ordering from the table via a QR code, or online. Card payment infrastructure can also help businesses in the hospitality space create more personalized experiences for guests.

Card payments, then, aren’t just growing. They’re absolutely vital. But are they secure?

How Secure Are Card Payments in the Hospitality Industry?

In short, card payments in the hospitality industry are secure – to a point. Let us explain.

Most hospitality systems rely on a collection of technology to accept payments. Firstly, there’s the POS (Point of Sale) system. In the past, this typically consisted of a barcode reader, a receipt roll and machine, plus a screen (for ringing up the orders) – even a manual cash register. In modern times, though, a POS system can simply be a POS app, paired with an internet-enabled device (such as a phone, or table).

The other part of the payment infrastructure for hospitality businesses? A payment gateway.

Whether a business is taking payments in-store, online, or both, a payment gateway will always be involved. A payment gateway is a piece of software which acts, unsurprisingly, as a gateway – processing the customer’s credit or debit card data, and facilitating the security of the transaction.

Let’s get a more visual look:

Visualization of how a payment gateway functions. Source: Expert Market

A payment gateway acts as the digital mediator between the merchant (that’s the hospitality business accepting the payment) and the issuing bank (their customer’s bank). The payment gateway ensures the customer has enough funds in their bank account to complete the transaction, and verifies the customer’s details – keeping them secure throughout.

But how secure is it all, really?

The answer, essentially, is very – thanks to a neat little concept called ‘encryption’. Let's 

When a payment gateway receives information, it automatically encrypts it: using a code to transfer the data to a ‘secret’ form – or code – only itself is able to read. Being software solutions, many payment gateways also harness measures like firewalls to fend off malicious attempts at entry.

Of course, hackers do exist; and breaches do happen. But here, it’s useful to return to that distinction we just made between the POS system and the payment gateway. While the latter, by and large, is secure, the former is more vulnerable to attempts at attack by hackers.

One report, for example, published that of the 21 most high-profile data breaches suffered by hotels since 2010, over 95% of them (20) were caused by malware affecting the hotels’ POS systems.

Frustratingly – for the business and customers affected – this malware can end up infecting multiple POS systems in the same network (i.e. those run by the same business, across several sites) – and can go undetected for months.

How – and Why – Hospitality Businesses Handle Customer Data Securely During a Transaction

So – should the average bar- or restaurant-going customer be worried for their data?

Realistically, no. While the aforementioned breaches do happen, major ones aren’t common – and rarely do they have lasting implications on the customer.

What’s more, all businesses – including those in the hospitality industry – are strongly incentivized to ensure these types of customer breaches don’t happen. That incentive comes in the form of PCI DSS (Payment Card Industry Data Security Standard), a set of strict regulations that govern how businesses handle sensitive customer data.

Any and all companies that accept credit and debit card payments have to comply – and the cost for non-compliance comes in heavy monetary fines and sanctions. (Often, these can be as high as $50 to $90 per cardholder whose data was compromised; on a large scale, that all adds up!)

The lesson? If you’re a merchant – that is, a hospitality business accepting card payments – you need to ensure you’re PCI compliant. There are several ways to do this, but by far the easiest is to select a reputable payment gateway provider. These companies come ready to roll with glowing PCI credentials – meaning that, as a merchant, you don’t have to do a thing!

Payment Security in the Hospitality Industry: Time for a Change?

So – when it comes to payment security, does the hospitality industry need to improve its customer data measures?

The truth is that all industries – not just the food and drink sector – sport room for improvement here. Even as payment security technology improves at a rapid rate, so too do the capabilities of hackers. Plus, other forms of payment trickery – such as invoice fraud – still exist. And, in that instance, technology is again both the problem and the solution.

That means merchants need to remain vigilant to the threat: trusting their payment gateway providers, while taking care to diligently destroy any potentially identifying data from a transaction. (This could include a check with a signature on it, or a receipt with any portion of a customer’s credit card number.)

It’s a delicate dance, but one the hospitality industry’s businesses – and customers – need to be aware of and work together to prevent fraud.