If you're worried about being a victim of a data breach, a new consumer tool can help you identify—and avoid—hotels and major retailers who are irresponsibly exposing your credit card, debit card, and other personal information to hackers.
PrivacyAtlas.com, which launched today, gives you the ability to search 39,000 U.S. hotel and motel locations and 28,000 big chain stores to determine whether they comply with the Payment Card Industry Data Security Standard.
You simply enter the name of the hotel or merchant into the PrivacyAtlas.com search engine, along with the address of any specific location, to learn whether compliance was verified (as indicated by a green checkmark) or not (indicated by a red “X”). Participation by companies is voluntary, and locations that choose not to disclose their compliance status to PrivacyAtlas.com get a black mark, while a yellow icon indicates that verification is in process.
For example, “America’s Best Value Inn has over 1,000 properties that are not validated as part of the PrivacyAtlas program,” Dave Durko, CEO of PrivacyAtlas.com, said. That earns each America’s Best Value Inn location a scarlet letter.
“From our research, none of the properties complies with the PCI standard, and they have not filed any level of compliance documentation with their bank payment acquirers," Durko said. "In this case, PrivacyAtlas cannot validate the compliance levels of the organizations and they must be rated, ‘Merchant Not Verified by PrivacyAtlas.’”
Craig Leitch, vice president of operations at America’s Best Value Inn's parent company, says that PCI compliance for reservations and bookings transactions handled by the corporate headquarters website and call center is taken care of by Sabre Hospitality, a leading Central Reservations Systems provider. But Leitch says America’s Best Value Inn isn’t responsible for the PCI compliance of the individual locations in the chain.
“Because each of the 1,000-plus individual properties operating under one of our brands is independently owned and operated,” Leitch said in an e-mail statement delivered by a company representative, “each individual property is responsible for its own PCI compliance.”
Although each property chooses its own merchant service provider, “in our experience they all require that the properties be PCI compliant in order to handle their credit and debit card transactions,” Leitch said. “On our end we stress the importance of PCI compliance on a regular basis.”
Learn how to protect yourself from a variety of threats with our guide to Internet security.
PrivacyAtlas.com is free. The website's parent company, Security Validation LLC, a data-security consulting firm, makes money by charging participating companies fees to validate their compliance and to help bring them into compliance if they're not. Noncompliant companies can hire any of hundreds of security consulting firms to get right with PCI DSS; they're under no obligation to use Durko's company.
When we searched more than 30 major hotel brands on launch day, we found scores of concerning red X's, but most locations turned up as "In process," suggesting that PrivacyAtlas investigators still have lots of work to do. Nevertheless, the search tool represents an important first step in consumer empowerment on this issue. Until now, data breaches might have seemed like random bad-luck events that are impossible for consumers to guard against. But PrivacyAtlas.com exposes the fact that there is searchable and readily available information about where breach lightning is reasonably more likely to strike—at companies that don't even meet the minimum requirements of PCI DSS. Armed with that information, you can take your business to responsible companies and avoid those who aren't or won't publicly disclose their status.
PrivacyAtlas’ primary data source is the record of compliance that businesses already maintain—or are supposed to maintain. Payment card processors, including Discover, MasterCard, and Visa, require businesses of any size to comply with PCI DSS as a condition of accepting payment cards and storing, processing, or transmitting cardholder data.
But Durko, former director of security-compliance management for the Wyndham Hotel Group with 15 years in the data-security industry, said “no one is policing compliance.”
“We don’t have anything to do with enforcement," Bob Russo, general manager for the Payment Card Industry Security Standards Council, said. “We’re just the standards guys. The credit-card companies enforce it. If there’s a breach, there could be an enforcement issue that comes from the credit card brand to the acquiring bank, and the acquiring bank rolls it down to the merchant.” Discover, MasterCard, and Visa did not respond to our requests for an interview or comment.
Durko is thus something of a whistle-blower, who says PCI certification is also flawed because it's only a once-a-year test. Russo lends support to that view. “Compliance is a snapshot in time," he said. "It’s that one day in time when you’ve got all your dead-bolt locks in place. Now it’s up to you, the merchant, to make sure you do it. If you don’t do it every day, you’re not PCI compliant. That’s what we’re finding.”
Also, while a company may be PCI compliant at the corporate level, each hotel property and store location must also assess and report its own compliance. PrivacyAtlas.com requests these individual reports and its investigators send back a proprietary follow-up questionnaire that querries for known security and compliance issues.
For example, companies whose computer systems use Windows XP for payment processing just became PCI noncompliant today, April 8, when Microsoft ended extended support for that product. “Security updates and patches will no longer be available, and any payment systems and computers still running XP will be vulnerable to attacks,” leaving the door “wide open for hackers,” says the PCI Security Standards Council.
Durko’s consulting firm also conducts periodic follow-up compliance assessments of verified companies throughout the year.
Most important, Durko is bringing transparency to an industry that should make PCI compliance reports publicly available. "That is the crux of PrivacyAtlas," Durko said. "We want to give consumers the ability to make an informed decision.”
—Jeff Blyskal
Consumer Reports has no relationship with any advertisers or sponsors on this website. Copyright © 2007-2013 Consumers Union of U.S.