Security threats are increasing in the hospitality industry. In the past year, over a third of hotel businesses have reported a rise in fraud attempts, while the proportion of guests concerned about booking fraud is as high as 71%. Among those who fell victim to deceptive transactions, £564 was the average amount lost per guest in 2024.

Adyen’s latest hospitality report provides further insights into these growing concerns, highlighting the urgent need for operators and payment technology providers to take action. A high volume of card-not-present (CNP) transactions, large transaction values and long booking windows place hospitality among the top 15 sectors for targeted online attacks, up 60% since 2022.

Digital check-in and contactless payments enhance convenience but also introduce new security risks. Manual bookings pose an even more significant threat due to weak authentication measures. Worryingly, despite the rise of digital transactions, traditional booking methods remain widespread, with 51% of hotel owners still handling a significant volume of phone reservations. While booking this way may provide reassurance, especially for older guests, it leaves hotels more vulnerable to potential breaches.

Consumers are very aware of these issues. When Adyen asked guests what would stop them from rebooking a stay, 9% answered a request to share card details over the phone, while 7% objected to being asked to write down credit card information manually.

Payment Card Industry (PCI) compliance, a framework designed to protect cardholder information from theft, fraud and cyber threats, has been implemented to counteract these threats in the hospitality industry. But it comes with a high level of complexity. Adherence to the Payment Card Industry Data Security Standard (PCI DSS ) requires hotels to protect sensitive guest data by encrypting payment information, securing networks and restricting access to sensitive data through measures such as firewalls, anti-virus software, intrusion detection systems, tokenization and end-to-end encryption.

Ensuring PCI compliance is an ongoing commitment, not a one-time task. Regular security audits and vulnerability scans are crucial for maintaining compliance. The consequences of failing to meet these standards are severe and can result in fines, legal action and even the loss of payment processing capabilities. While Adyen’s report suggests that 72% of hotels claim to be PCI compliant, the reality may differ. Many hotels may have individuals overseeing PCI DSS who have limited knowledge of the full scope of the requirements.

PCI DSS violations are often unintentional and committed more easily than many hotels realize, especially without secure systems to handle sensitive data. Simple oversights will put compliance at risk: leaving credit card details visible on a computer screen, storing payment information in unsecured locations or linking point-of-sale systems to unprotected networks. Many breaches stem from a lack of awareness rather than malicious intent. However, they persist in an environment where 47% of hotels still offer manual, over-the-phone payments and 51% of hotels insist this option remains popular with guests.

Added to that is the problem posed by self-assessment. Many hotels will be self-declaring compliance with the security standard without having it verified by a credible third party. So, while using a property management system (PMS) that is PCI compliant will lighten the load by shifting some of the process and responsibility to the third-party provider, it can create a false sense of security if a qualified auditor has not independently assessed that operator. This independent, third-party assessment is referred to as PCI Level 1 service provider certification. Even then, compliance remains an ongoing process that requires continuous monitoring.

The consequences of payment fraud in hospitality are severe. A single data breach can result in substantial financial penalties, with affected hotels reporting an average loss of £1,733,1321. Beyond the economic damage, non-compliant hotels are legally liable for security breaches and risk irreparable reputational harm, leading to a loss of guest trust and future business—so the stakes are high.

While tech innovators in this space increasingly recognize that secure payment processing is not optional, operators need to accept that the use of such platforms is no silver bullet. All hotel chains require PCI Level 1 compliance but, as cyber-crime tactics evolve, the hospitality industry must stay ahead of emerging threats by seeking the independent certification that really demonstrates they take it seriously. It is only this end-to-end approach that guarantees the security of both guests and businesses alike.