In traffic yesterday I saw a bumper sticker that read “Dogs have owners, cats have staff.” Given the sticker was surrounded by other feline-themed paraphernalia, I surmised that the driver was boasting her personal capacity to successfully coexist with Tigger, Boots, or whatever the name she gave to her cat, regardless if the cat actually answers to the name (which it very likely does not).  I’ve nothing against cats; they’re cool, elegant and mysterious. I mean, I dig the tune: “Stray Cat Strut, I’m a Stray Cat.” Cats are referenced in poetry and frequently watched on YouTube.com. However, unlike their house pet counterparts (dogs), cats are not prone to compliance. They’re independent. They follow their own rules, even if the guidance they receive is in their best interest. And that got me thinking about PCI compliance and the hospitality industry.

Hospitality is the most feline of industries. At their best, hotels are elegant, comforting, practical and even romantic. However, they don’t have a pack mentality. And when it comes to PCI, establishing payment card security in hospitality is like herding cats.

A recent work by noted war correspondent Elizabeth Becker revealed that 1 in 12 people on Planet Earth are employed in Hospitality (including Travel and Tourism). In terms of raw numbers of people, no other industry compares. However, of the world’s 50 largest corporations, you won’t find a single organization from the industry. Meanwhile, 78% of data breaches occur in Hospitality and Retail. Over 50% of attacks are targeted at point-of-sale terminals. And in an even more terrifying new trend, new harvesting techniques allow today’s hackers access to small business (less than 250 employees). Small businesses now comprise 31% of data breaches. There are so many people, so many places, and there’s so much money in hospitality. Meanwhile, there is no central industry oversight. But it’s not from a lack of trying; practically every industry conference includes some sort of PCI Compliance “bootcamp”.

All together now: “Here Kitty, Kitty, Kitty!”

Now, governments are getting involved. In the US, legislators from the Midwestern state of Iowa are considering an act that will make PCI compliance part of the legal code. You may ask, “who cares?” Well, any companies doing business in Iowa and/or doing business with Iowans should care. For example, a resort in Florida with vacationing guests from Des Moines would fall into that group. At the federal level, the White House estimates that USD 300 Billion are lost annually due to cyber crime. Meanwhile, in January of 2013, Europol issued a Situation Report on payment card fraud. The two key points of the report are (1) the criminal cyber crime market is well organized and (2) most illegal face-to-face payment card fraud occurring to Europeans is occurring to them while abroad, principally in the US. With the amount of attention paid to cyber crime, the political trend won’t likely go away. As the issues of cyber crime and identify theft grow in people’s consciousness, savvy politicians eager to win political points may shrewdly wage a war (whatever that means) against cyber crime. As a result, independent merchants that are not PCI compliant may find themselves feeling very alone.

Dogs instinctively know the pack provides leadership, structure, and protection. Cats do not.

However, it isn’t that the independent merchants are entirely powerless. They can start protecting themselves by instilling a culture of security awareness within their company so staff can recognize security threats and know what procedures to follow. Recent reports (i.e. Trustwave 2013) show that PCI-DSS Guideline 5.7, Implement Security Training for All Staff, ought to be the very first step businesses make in their journey toward PCI compliance. For example, in a survey of IT professionals at the RSA 2013 conference in San Francisco in February, 75.8% of respondents believe their colleagues have too much access to sensitive data. Even more concerning, 38.3% of respondents have actually seen colleagues access sensitive data that they simply shouldn’t have been able to access. And of those, only 45.3% reported the instance. This is shocking; these IT professional obviously know better. They are, after all, the kinds of people that attend the RSA conference. And yet, the majority of them still do not securely manage the access to the systems under their protection. Meanwhile, according to the “Payment Card Threat Report 2013” by Security Metrics, there is an estimated 315 million payment cards stored on business systems that should not be there.

And if having payment card data stored on your PMS or POS isn’t dangerous enough, consider how reckless it is to allow users to have ridiculously easy-to-guess passwords. A Techweek study in February found that 90% of enterprise systems are guarded by weak passwords. Annually, Gizmodo publishes a list of the year’s 25 worst passwords. In a remarkable display of sportsmanship, it’s the hackers themselves that provide the list. Included in 2012’s hall of shame are such hackable abominations as (#1) “password”, (#2) “123456”, (#12) “trustno1”, (#17) “welcome” and (#21) “jesus”.

Merchants that have IT teams that ignore security threats while their systems are weighed down with payment card data and guarded by absurdly easy-to-guess passwords, are wise to be concerned. For they are the sleepy, fat, declawed tabbies of the animal kingdom. And as far as the cyber attack dogs are concerned, they are out of doors and it’s open season.