A growing threat to hospitality businesses 

The hospitality industry is facing an increasing wave of payment-related fraud. In the past year alone, more than one-third of businesses reported a rise in fraudulent activity. At the same time, guest concerns about booking fraud are higher than ever, with 71% saying they worry about falling victim to deceptive transactions. Unfortunately, their concerns are valid. In Adyen’s Hospitality Report 2024, the average financial loss for those impacted was £564 ($711) per guest. 

In this blog, we’ll explore why hospitality is a growing target for cybercrime, unpack the complexities of PCI compliance, and outline how operators can safeguard their business, staff, and guests from payment fraud. 

Why hospitality is a target? 

The nature of hospitality transactions makes the sector particularly vulnerable. Adyen’s 2024 hospitality report highlights that high volumes of card-not-present (CNP) transactions, high transaction values, and in the CrowdStrike 2024 Threat Hunting Report extended booking windows have contributed to a 60% increase in online attacks since 2022. Hospitality now ranks among the top 15 most targeted industries for cybercrime. 

While digital check-ins and contactless payments offer convenience, they also bring new security challenges. Even more alarming is the persistence of manual booking methods—51% of hotel operators still handle significant phone-based reservations. These bookings often lack robust authentication, leaving businesses open to attack. 

Guest sentiment around payment safety 

Guests are acutely aware of the risks. In the same Adyen report, 9% said they would not rebook if asked to share card details over the phone, and 7% would avoid any hotel that asked them to write down their payment information. As expectations around secure digital experiences rise, hospitality operators must address these concerns to retain guest trust. 
 
These may seem like small percentages, but they reflect a wider shift in consumer expectations. As secure, digital-first experiences become the norm across industries, hospitality is under pressure to keep up. Guests are no longer willing to accept processes that feel unsafe or outdated, particularly when those processes involve their sensitive personal and financial information. 

For operators, these statistics should serve as a clear warning: failure to modernize payment practices could have a direct impact on repeat business and guest loyalty. Addressing these concerns isn’t just a technical necessity, it’s a fundamental part of delivering a trusted, seamless guest experience. 

Understanding PCI compliance 

The Payment Card Industry Data Security Standard (PCI DSS) exists to protect cardholder information from fraud and cyber threats. However, becoming PCI compliant, and staying that way, is no simple task. 

To meet PCI DSS, operators must implement a wide range of security measures, including: 

• Encrypting payment data 

• Installing firewalls and antivirus software 

• Using tokenization and end-to-end encryption 

• Limiting access to sensitive information 

• Performing regular audits and vulnerability scans 

Even with the best efforts, PCI compliance isn’t a one-off achievement. It requires continuous monitoring and diligence. 

Common gaps in compliance 

Despite 72% of hotels claiming PCI compliance, the reality may be less reassuring. Many operators rely on staff with limited understanding of PCI DSS, which increases the risk of accidental non-compliance. Common issues include: 

• Leaving credit card data visible on screens 

• Storing card details in unprotected locations 

• Linking point-of-sale systems to unsecured networks 

These oversights are often unintentional but still leave operators exposed to security breaches. With 47% of hotels still accepting payments over the phone, the risk remains high. 

The hidden risk of self-assessment  

Many hospitality operators rely on self-assessment to meet PCI compliance standards, but without independent verification, this can leave serious gaps in security. While using a PCI-compliant property management system (PMS) can help, it doesn’t guarantee full protection. Only a PCI Level 1 certification from a qualified third party can confirm that all requirements are being met—and even then, ongoing monitoring is essential. 

The consequences of getting it wrong are severe. A single data breach can cost an average of £1.73 million. Beyond financial loss, operators risk reputational damage, regulatory penalties, and a breakdown in guest trust. 

In a sector where trust is everything, self-assessment isn’t enough. True compliance demands third-party validation and a commitment to continuous vigilance. 

Moving forward: A proactive approach 

Technology providers and hospitality operators must work together to create secure environments. While innovative platforms can help mitigate risks, they are not a catch-all solution. Every operator, from boutique hotels to large resorts, RV parks to serviced apartments, should pursue PCI Level 1 compliance and prioritize regular assessments to stay ahead of evolving threats. 

Ultimately, ensuring end-to-end payment security is the only way to safeguard both the guest experience and business continuity in today’s digital hospitality landscape. 
 

Written by

Andrew Buttigieg

Chief Technology Officer at RMS 

6 min read