Hotels process credit cards, ID scans, loyalty accounts, and reservation data every day. PCI DSS compliance is non-negotiable. High staff turnover means new hires are the most likely to click a phishing link. One trained employee changes everything.
Point-of-sale systems in hotel restaurants, bars, and room service are active targets for memory-scraping malware. A regional hotel group discovered POS malware on three F&B terminals after an IT audit — card data from 1,400 guest transactions had been exfiltrated over 6 weeks. Front desk staff who use the POS interface are the entry point for phishing campaigns that deliver POS malware.
Opera, Cloudbeds, and other PMS platforms store guest names, credit card authorization data, arrival/departure details, and loyalty points. Ransomware actors specifically target PMS vendors — the 2024 Interline/Hotelnexus breach exposed card data across multiple chains. A PMS outage freezes reservations, check-in, and billing simultaneously. With no reservations system, a mid-size hotel loses $40,000–$120,000 per day in lost revenue.
Hotel staff turnover is the highest of any industry. Former employees who used their work email for personal accounts, or who reused passwords across work and personal accounts, create credential stuffing vulnerabilities. An ex-employee from housekeeping with credentials to the staff scheduling system can be pivoted to a credential stuffing attack that eventually reaches the PMS admin panel. New hires are especially vulnerable — they don’t know what a phishing email looks like yet.
PCI DSS v4.0 Requirement 12.6 mandates that all personnel who handle cardholder data receive security awareness training — and that training must be documented. Hotels that process international guests also handle GDPR-protected data, requiring additional safeguards for guest personal information. State guest data privacy laws (California Civil Code §1798.150, Texas Identity Theft Enforcement and Protection Act, and others) require breach notification and specific data protection measures when guest PII is exposed. A documented training program is the foundational PCI DSS safeguard — and your best defense against a breach that triggers notification obligations.
"We had a front desk agent receive what looked like an email from our revenue manager asking for the Opera credentials to run a report. She was about to send them — then she stopped. She had just come from a SecurEveryone session that covered exactly this scenario. Revenue manager confirmed she never sent the email."
— Director of Operations, Boutique Hotel Group (3 properties)
"Our POS vendor flagged unusual outbound traffic from two F&B terminals. Our IT team traced it back to a phishing email a server had opened two weeks prior. We trained all 80 front-line staff the same month. The difference in how people talk about suspicious emails now is measurable."
— General Manager, 120-Room Select-Service Hotel
"PCI compliance had been a checkbox for us — we did the questionnaire once a year and moved on. The SecurEveryone session surfaced gaps we had no idea existed: shared PMS accounts across departments, no offboarding protocol when housekeeping staff left, and front desk credentials reused across personal devices. We fixed all three before our QSA assessment."
— Comptroller, Independent Hotel & Event Venue
"A former events coordinator left on bad terms. Six weeks later, our IT team found that her credentials were still active in our staff scheduling system. SecurEveryone walked us through exactly how credential stuffing works and how a former employee with active credentials can be used as a pivot point. We now have an offboarding checklist that runs the day someone leaves."
— Hotel / Revenue Manager, Branded Boutique Property
PCI DSS v4.0 Requirement 12.6 mandates that all personnel who can impact the security of cardholder data receive formal security awareness training — and that training must be documented, role-specific, and provided at least annually. For hotels, this means front desk, F&B, housekeeping management, events, reservations, and finance staff all need documented training. Requirement 12.6.2 specifically requires that training content address phishing, social engineering, and credential handling — the exact topics our sessions cover. Your QSA will look for training completion records during annual assessments. Our sessions produce exactly the documentation you need.
The Business-tier session is designed exactly for this scenario — one $900 flat-rate session covers unlimited participants, including new hires who join mid-year. We recommend booking a refresher session every six months for a hospitality group with high turnover, with new hires added to any scheduled session. For Personal or Executive tier, each individual staff member or manager can book their own session at $150 or $390. The key is documented training: even if a staffer is only there for three months, you have a training record for them if a QSA or PCI forensic investigator ever asks.
If your hotel hosts international guests — particularly from EU member states — GDPR applies to the personal data you collect from them. Guest names, email addresses, payment card data, passport information, and travel histories are all GDPR-covered personal data. You must have a lawful basis for collecting it, you must protect it, and you must notify the relevant supervisory authority within 72 hours of discovering a breach affecting EU resident data. For a boutique hotel, this means having a documented data retention policy, knowing where guest data lives (PMS, F&B systems, POS, email), and having a breach response procedure that covers the GDPR notification timeline. Our Executive session covers the GDPR obligations most relevant to US hotel operations.
Business tier sessions are a 2-hour live Zoom webinar for your entire team — front desk, F&B, housekeeping, events, reservations, and finance. The first half covers the threat landscape specific to hospitality: POS malware delivery via phishing, PMS credential theft, guest data breach notification obligations, and GDPR implications for international travelers. The second half is interactive scenario work where participants evaluate real examples from the hotel industry — including fake OTA refund emails, spoofed revenue manager requests, and PMS support impersonation. Sessions are recorded for staff who can’t attend live. Personal and Executive tiers are one-on-one or small-group sessions tailored to the individual’s role.
Same week. Book a session at /book and select your tier. For Business tier with multiple properties, we schedule a 15-minute intake call to confirm department headcount, your PMS platform, and any specific compliance requirements from your QSA or cyber insurer. The training session itself is then scheduled at your convenience — most hotel groups are fully trained within 5–7 business days of booking.
Take our free Phishing IQ Quiz to benchmark your team's awareness in 5 minutes — or book a 15-minute consult with one of our instructors.