Compliance with the Payment Card Industry Data Security Standards (PCI DSS) continues to be a hot topic in hospitality circles, and for technology writers. In fact, large volumes have been written on the topic, with countless articles offering best practices and reporting on non-compliance penalties, such as increasing fees and commissions.
It's been reported, also, that the hospitality industry continues to struggle with compliance. The American Hotel and Lodging Association's PCI Primer1 reports that upwards of 55% of credit card fraud comes from the hospitality industry, and the smallest merchants (Level 4) account for more than 85% of compromises, with a noticeable increase in risks coming from franchisees.
There is one area, however, that remains difficult to measure: consumer confidence. What is the tangible impact to customer confidence and company reputations when a security breach occurs? The University of Delaware is conducting a study, with the assistance of graduate student Ekaterina Berezina, on the impact of poor security on consumer confidence. Specifically, the study seeks to understand the impact of a credit card breaches on service quality, guest satisfaction, future revisit intention and the likelihood of recommending the brand/hotel to others (word-of-mouth intention).
Three scenarios: good, bad and ugly
The study presented more than 500 Americans with three different scenarios. In the first scenario, respondents were told that the credit card number they used during their last hotel stay was stolen by hackers. In the second scenario, respondents were told that the hotel they stayed in experienced a security breach, but that their card number was not compromised. In the third scenario, respondents were told that the hotel that they last stayed in passed a security audit, showing a commitment to keeping their credit card data safe.
Before a scenario was presented to a study participant, the participant was first asked to rate their quality of stay, satisfaction, revisit intentions and word-of-mouth intentions. Once they answered this, they were then presented with only one of the three scenarios randomly. They were then again asked to rate the same questions related to quality, satisfaction and future behavior. The second set of responses was then compared to the first set, the control scores, to measure how the security scenario affected guests' opinions.
Respondents who were told that their credit card number was stolen recorded a significant drop in perceived service quality. Their overall satisfaction level was also significantly and negatively impacted. They indicated that they would be less likely to return to that hotel and brand. Similarly, they are less likely to recommend that hotel/brand to others. The second scenario showed similar results to the first, however not as strong. With the third scenario, perceived service quality, overall satisfaction and future behavior all showed improvements over control scores.
Expected results, critical message
Although these results were expected, they very clearly demonstrate that a security breach can have a costly, negative impact on guest trust and level of commitment. Even loyal guests showed a negative attitude towards a hotel when their credit card was breached. What's more, a hotel's recovery offerings, such as paying for a replacement card and offering a 3-year credit protection plan, were not enough to change future negative impressions.
These facts, along with the other hard costs associated with a security breach, justify the need for hospitality companies (and any company, in fact) to apply common sense practices and comply with PCI DSS.
In these columns, I have covered the topic of PCI several times. Each time, I have recommended that hospitality organizations take PCI seriously, not because credit card companies demand it, but because it is good for their businesses. Now, with this empirical evidence, I say this even more strongly. Consumer trust is very fragile. A company can spend years building confidence and trust, but one single event can destroy or damage it significantly.
If you're secure, say so!
Perhaps the most significant finding from this study is the fact that, if the scenario is positive, meaning that if the guest is told that the hotel passed a security audit, the perceived service quality, satisfaction, and positive future behavior significantly increases. Therefore, hotels should not keep their PCI compliance efforts to themselves. Communicate it to guests and other stakeholders.
With the hard deadline of June 2010 fast approaching, whereby merchants must prove that all active merchant payment applications are PCI compliant, this is even more critical. Now, you have one more reason to be compliant.