Recent years have seen cybercriminals target the networks of numerous global hotel chains, compromising the personal information of hundreds of millions of guests. As these attacks continue to proliferate, it’s incumbent upon chief compliance officers in the hospitality industry to ensure their data privacy compliance programs remain up to snuff.
About Marie-Christine Vittet
Marie-Christine Vittet is in charge of the Payment Card Industry Data Security Standard (PCI DSS) program for Accor Group. Her role has been extended since the General Data Protection Regulation (GDPR) took effect to include “sensitive data.”
As vice president of compliance, Vittet coordinates the annual assessment process and animates the worldwide community to follow local headquarters and hotels compliance. In the central working team, her mission is to adapt operational processes to achieve compliance.
Vittet has spent 20 years in the hospitality industry, and she specializes in the management of complex projects and scope.
In a conversation with Compliance Week, Marie-Christine Vittet, vice president of compliance at hospitality chain Accor, discussed the company’s journey toward a global data privacy compliance program. The work has not been easy for a business that manages 260,000 employees across 51 hospitality brands and 5,200 hotels in 110 countries worldwide.
Founded in France in 1967 by two friends, Paul Dubrule and Gérard Pélisson, Accor knows about changing with the times. When Vittet came on board in 2010, her task was to implement the company’s Payment Card Industry Data Security Standard (PCI DSS) compliance program.
The PCI DSS is a set of standards designed to ensure all companies that accept, process, store, or transmit credit card information maintain a secure environment. It applies to any organization, regardless of size or number of transactions.
For Accor, ensuring its payment system is secure among all its merchants globally is vital, encompassing everything from its hotel reception areas to its thousands of restaurants, bars, gyms, spas, shops, and more.
Central to coordinating these efforts was the need to first educate merchants about the importance of payment security and to simplify PCI DSS compliance for them as much as possible. In practice, this meant providing education through an eLearning solution and ensuring access to user-friendly policies and procedures.
“I wanted a solution that provided exactly what we needed for PCI compliance and nothing more,” Vittet said. Accor enlisted the help of VigiTrust, a provider of integrated risk management solutions, in 2012 to implement a PCI DSS eLearning program for its 15,000 users.
Each hotel manager and their staff members are educated on what best practices to put in place at their hotel. Vittet explained the PCI DSS compliance training—which is made available in 10 languages—takes employees less than an hour to complete and can be done while on their shift using a hotel computer or tablet.
Staff must complete the training each year. Responsibility rests with the hotel managers to register their teams for the training, Vittet said.
Over time, Accor’s compliance training has evolved to keep pace with changing data privacy requirements. Vittet said it was important to use the PCI DSS compliance program as the foundation for the company’s other compliance and risk assessment programs to maximize successes already achieved.
For Accor, compliance efforts are spread across different teams and business units. These include security/compliance, country offices, local management, and other business lines. Having a centralized platform of compliance oversight is essential.
Third-party risk management efforts: By 2013, Accor incorporated into its platform a customized compliance program that included two parts: a PCI DSS self-assessment questionnaire (SAQ) and a vendor SAQ. Many service providers and third parties that work with Accor “want to try to escape from PCI compliance,” or they don’t understand the security requirements, Vittet said. Some third parties don’t take seriously the dates upon which they must get into PCI DSS compliance.
“That’s a significant [risk] for us,” she said. Sometimes Accor nearly falls out of compliance because a service provider doesn’t complete the SAQ in the time required. In some cases, “We will tell the third party we will not do business with them if they do not follow PCI compliance,” she said. “This is a challenging process every year.”
From a due diligence standpoint, VigiTrust’s VigiOne platform allows Vittet to see when a third party started the questionnaire to determine how they are progressing. “My view is that we are a partnership, so we need to help each other,” she said.
“We will tell the third party we will not do business with them if they do not follow PCI compliance. This is a challenging process every year.”
Marie-Christine Vittet, Vice President of Compliance, Accor
GDPR compliance: As Accor’s approach to data privacy has evolved, it has since rolled in compliance with the European Union’s General Data Protection Regulation (GDPR). The company now has a data protection officer in Paris in compliance with the GDPR, in addition to its network of eight local compliance hubs.
Compliance is a team effort, Vittet said. “We need to keep that on track and make sure privacy-by-design applies to any new projects,” she said.
VigiOne enables Vittet to track the progress of each hotel brand in each country, as well as Accor Group’s progress globally. “From there, we can sort out our KPIs (key performance indicators), measured against progress over time,” she said.
For example, Accor can track KPIs related to PCI compliance throughout the company, including monitoring progress against PCI compliance program steps, identifying top performers, following new hotel onboarding procedures, identifying noncompliant hotel properties, and managing compliance renewal dates.
Vittet said she also works with internal audit, which she said is “good practice to make sure what is said is what is applied and check against that.”
Future focus: The next stage of Accor’s data privacy compliance program will be to address privacy regulations on a local level. “We want them to apply globally with no overlap, because GDPR requires a lot of things and local law requires similar things,” Vittet said. “We will make sure when addressing one that we address … the same requirements for other regulations.”
From a customer standpoint, since the GDPR came into effect in May 2018, Accor has been fielding a lot of questions hotel guests have concerning data protection, Vittet said. “Sometimes, they just have questions about how their data is handled,” she said.
Fielding customer questions and concerns has become a full-time job that is still currently managed by staff. The hope is to automate systemwide answers in the future, she said.
“PCI compliance is an ongoing, evolving process,” Vittet said. In fact, there is a new version of the PCI DSS coming out this year. “We’ve been following that very carefully.”
Cybersecurity efforts in the hospitality industry also continue to evolve. In March 2021, the National Institute of Standards and Technology (NIST) issued guidance laying out recommendations for how hotels should secure their most critical hotel software system—specifically, their property management system.
“Accor took inspiration from NIST to revisit its PCI DSS procedures, which is a PCI requirement tested annually during our audit,” Vittet said. “This allows us to address cybersecurity and privacy risks.”