Get on the safe side: train your hotel staff to prevent payment card fraud

Any company can be targeted by payment card fraud. Luckily, there are effective ways of substantially reducing the risk. Most incidents have a common denominator: human behaviour. So the most effective action you can take to reduce the risk is training your staff in best practice.

This has prompted us to team up with Lobster Ink, the leading online education company specialising in the hospitality industry, to develop an online training course in PCI DSS Awareness for the hospitality industry. It’s a highly focused programme for end-users that will help your staff understand and apply the principles of PCI compliance.

Payment card fraud is a massive and growing problem that needs to be addressed as a matter of urgency. The consequences for the businesses affected are severe, ranging from penalties and disruption of daily operations to reputation damage and lost customers.

The scale of the problem is also extreme: payment card fraud resulted in losses of USD 21.8 billion in 2015, and a Nilson Report predicts that this will rise to more than USD 31 billion by 2020. Verizon’s ten year Payment Card Industry Data Security Standard (PCI DSS) compliance investigation has shown that no company was fully PCI DSS compliant at the time of the breach.

As the pace of technological development accelerates, especially in
payment systems, the risk of security breaches is higher than ever.

How can you protect your business?

With PwC’s expertise in cybercrime and compliance and Lobster Ink’s experience in innovative training, your staff will soon be up to speed with best practices. We’ve designed individual courses for customer-facing staff, back-of-house staff and management to ensure every employee is aware of the risks and mitigating actions relevant to their particular level and department.

The course will help you and your employees to identify and minimise the risks associated with handling sensitive payment card data. They’ll also learn about best practice for reducing risk to acceptable levels and systematically protecting your customer’s data.

Your employees are the first line of defence. Get them trained today!

Contact us to find out more about PCI DSS Awareness:

Nicolas Mayer
PwC Partner & Global Industry Leader
Lodging & Tourism Clients

or via

Lobster Ink

“Many people aren’t aware of the risks of using credit cards. This course was so useful for all of us – to protect our guests and ourselves.” – existing PCI DSS learner

Swiss pension outcomes are falling – could “matching” be part of the answer?

Low, even negative, interest rates and uncertain growth prospects is becoming a “new normal” in Switzerland. The impact on pension fund finances is well documented – pressure on funding levels, tough to find the right investment opportunities and focus on cost transparency. This environment also poses challenges for insured members, and as a result their employers. Expected retirement outcomes have fallen. What does this mean for employees and employers? 

10 years ago an insured person would expect higher returns on any money they invest for retirement than they would today. The mandatory interest credit for Swiss pension plans according to BVG/LPP was 2.50% in 2007 compared to 1.00% today.  Ten-year Swiss government bonds yields have fallen from 2.6% to -0.1% in the same period. This not only affects expected returns on the assets set aside but also the cost of providing an income for life after retirement. Life expectancies for retiring pensioners have increased by about 1 year for females and 2 years for males in that time which also needs to be funded.

All of these factors have had a major impact on retirement outcomes. Based on our calculations, in 2007 a 40 year-old could invest CHF 7’100 and expect a pension of a CHF 1’000 a year for that investment. Today a 40 year-old would expect to have to invest CHF 14’700 – more than doubling of the cost of retirement over 10 years. In that time, inflation expectations have also fallen, but overall the cost of retirement has increased.

What can pension funds do?

Pension funds aim according to our experience to maintain the level of retirement benefits they provide while financing the promises already made. But pension funds are in a “zero-sum” game – without extra funding, members will ultimately receive lower benefits on average when results are not what was expected. Robust analysis and forecasting of what employees can expect to receive, combined with clear communication may be the best what they can do. Other measures are down to employees and employers as recipients and sponsors of retirement benefits.

What does this mean for individuals and employers?

Find higher returns? In conventional collective Swiss plans, employees share in the overall returns of the fund as they are credited to them. This limits opportunities to take more risks, with an expectation of higher returns. For higher earnings, it is possible to have individual strategies through a “1e” pension plan. These plans can be used to seek higher returns, but this may not be suitable for all.

Later retirements? Without saving more, employees have to retire later for the same outcome.  In some ways this is only reasonable: If life expectancies increase without changing retirement ages, the proportion of life we spend in retirement rises. Employers may have to prepare for the ageing effect on their business – not only their workforce recruitment and retention, but possibly their business strategy and target markets.

Employers pay more? One answer may be employers paying more. But employers face economic challenges themselves, with increasing competition and pressure for results. For most companies, raising costs or investing cash may not be palatable.

Employees pay more? Creating more awareness of the individual options available for the employees is one option. Additional voluntary employee contributions are typically deductible for tax purposes. Some employees don’t have confidence in their pension plan and are not keen to lock away money until retirement.

How can companies create further incentives for employees to pay more? A look abroad could help.

Could “matching” be part of the solution?

In the US as well as the UK, contribution “matching” is widely used in pension plan design. Employer contributions are adjusted to “match” those of employees. When an employee contributes a percentage of their salary into the plan, the employer contributes an amount directly linked to what the employee pays. This could be 1:1 – i.e. if the employee pays 2% of pay, employer pays the same. Or some ratio like 2:1 or 1:2.

The big advantages of matching are two-fold: it encourages employees to pay more; and it focuses employer spending where it is most valued by its employees. One of our clients challenged the common Swiss plan option of employers paying the same for all employees, whereas employees can choose their level: “Why can employees choose to pay less, but I cannot follow when they do?” A reasonable question that matching helps to address.

The challenge is that legislation in Switzerland currently restricts the ability to apply matching within the regular plan. The law requires the employer contribution rate to a pension plan to be the same for all employees in the same situation (e.g. age, grade etc). “Matching” can be done through the buy-in system. So with the right plan design, matching can be incorporated within the Swiss plan.

This won’t for every situation as the use of buy-ins is subject to certain caps and restrictions which may become a barrier. Plan administration may be more complex. But in challenging times for pension outcomes, new solutions may be needed.


Richard Köppel
Pensionskassen-Experte SKPE, People and Organisation
Tel. +41 58 792 11 72
Adrian Jones
Director, People and Organisation
Tel. +41 58 792 40 13

Cyber risks are everywhere . . . even in your hotel!

Why would cyber criminals attack hotels? It’s often thought that they only target financial institutions and large multinationals. However, times have changed. To understand what is happening, we have to recognise that SMEs are also increasingly being targeted today. According to a PwC study*, the financial costs of security incidents have increased by 100% for SMEs, while those for large organisations have fallen by 20%. With regard to the major hotel chains, the story is the same: it’s easier to attack an unprepared target than one that is used to dealing with attacks and well protected.

Sensitive data

Handling very sensitive client data (credit cards, personal data, client preferences, etc.) is also in the nature of the hotel business. This is a gold mine for cyber criminals, who can reuse such data for other attacks, sell it to criminal groups or publish it on the ‘dark web’.

The best known method – spear phishing – consists of obtaining information from a specific person in order to manipulate him or her and extort money. One tried and tested fraud technique is ‘social engineering’: a hacker usurps the identity of a rich client by using personal information acquired previously – stolen from a hotel, for example – in order to get an employee of the client’s bank to send money.


Let us look at some actual examples. Early in 2015, White Lodging Services Corporation of Indiana, a hotel chain that includes Marriott properties, reported a cyber breach (a breach that enables criminals to access a network and the data it contains) that had lasted seven months! In 2016, it was the turn of the Hyatt chain to announce a massive theft of credit card data and client information involving over 250 establishments worldwide.

This sort of event is the hotel industry’s worst nightmare . . . but it is not alone. According to the 2016 PwC Global CEO Survey, which gathers the responses of 1,409 CEOs in 83 countries, 59% of CEOs rate cyber risks among the top three threats to the development of efficient and secure business.

They are right! The arrival of the ‘Internet of things’ is opening up almost limitless opportunities for hackers today. As the number of connected objects continues to grow – it will reach over  30 billion by 2020 – the network security challenges multiply. The investments needed to address these challenges doubled in 2015, and yet only 36% of survey respondents have a dedicated strategy to deal with the Internet of things.

In addition to having to protect a much wider perimeter, we also note that the number of cyber attacks reported increased by 38% globally in 2015. On the other hand, the information security budgets of organisations only grew by 24%*.

Two observations

This leads to two observations: security-related investments are more often driven by regulatory requirements rather than the desire to protect company data; and hotel managers tend to believe that ‘outsourcing’ is the solution to such problems. It’s time for a change of mindset: hotels not only have to manage the financial and personal data of their clients, but also have to integrate cyber risks into their working methods.

To this end, hotel managers need to ask themselves a few questions:

  • Have we defined, validated and reviewed an overall security policy based on a security standard (e.g. ISO 27000)?
  • Do we have someone who is responsible for information security (i.e. CISO/CSO)? Do we have the resources required in terms of competence and ability?
  • Do we perform an annual assessment of the internal and external risks affecting data confidentiality, integrity and security?
  • What are our ‘crown jewels’? Do we have a precise inventory of these (e.g. client data, employees, intellectual property)?
  • What are the major technological measures we have defined to prevent and detect security incidents, such as a data leak?
  • What controls do we have in place to minimise human error, especially where key employees are concerned?
  • Which of our external service providers stores our key data? Do we have a precise inventory?
  • Do we perform internal and external penetration testing on our key applications and infrastructure in order to assess our weaknesses?
  • Have we defined a cyber-incident management process and, if so, do we test it regularly?
  • How do we collaborate with our peers?

The good news is that there are also new approaches that enable organisations to anticipate threats by making use of ‘threat intelligence’. This comprises threat information systems based on the analysis of vast volumes of data gathered from the Internet, cloud environments, hidden areas of the net, social networks and other sources. Thanks to such systems, organisations can identify what threats they face in advance and thus respond to them proactively rather than reactively.


To finish on a hopeful note, despite the alarming situation in which hotels find themselves, we are sure recent events have triggered greater global awareness for the nature of the threat thus leading to improvement in the coming months.

It’s now time to act! Because the question is no longer whether your organisation will be a victim of a cyber attack, but rather how to prepare for one and how to respond when it happens.

Contact us if you would like to discuss this topic:

Yan Borboën
Avenue C.-F. Ramuz 45
Case postale, 1001 Lausanne
+41 58 792 8459

Nicolas Vernaz
Avenue Giuseppe-Motta 50
Case postale, 1211 Genève 2
+41 58 792 9571

* ‘The Global State of Information Security® Survey 2016’ was conducted by PwC in 2015 and sent to 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security in over 127 countries.


Geldwäschereiprävention: die neuen Pflichten für Händlerinnen und Händler

Ab 2016 werden die Geldwäschereisorgfaltspflichten auf Unternehmen und Berufe ausserhalb des Finanzbereichs ausgedehnt.


Die Gesetzesänderung mit Bezug zur Geldwäschereiprävention, welche in Januar 2016 in Kraft tritt, schreibt für die natürlichen und juristischen Personen, welche gewerblich mit Gütern handeln und dabei Bargeld ab einem Betrag von CHF 100’000 entgegennehmen, strengere Regeln vor. Diese Bargeldzahlungen unterliegen neu einer verschärften Abklärungspflicht, und die Händlerinnen und Händler,  z.B. Immobilien-, Kunst- oder Edelsteinhändler, müssen, in Bezug auf diese Zahlungen, Sorgfaltspflichten wie Finanzintermediäre einhalten, ohne dass sie selber über eine Bewilligung für die Tätigkeit als Finanzintermediär verfügen.

Erfahren Sie mehr in unserem Informationsblatt:

Geldwäschereiprävention: die neuen Pflichten für Händlerinnen und Händler

Unsere Experten – Ihr Kontakt:

Susanne Hofmann

PwC | Legal Compliance Leader Switzerland | Director
Birchstrasse 160 | Postfach | CH-8050 Zürich

Michèle Hess

PwC | Assurance Director
Birchstrasse 160 | Postfach | CH-8050 Zürich

Online reviews: boon and bane

According to online reviews Eastern European hotels seem to be meeting or exceeding guests´ expectations most often. Cleanliness and location tend to be anywhere rated most highly, including Zurich. Five star hotels are likely to be better at responding to feedback than 3- and 4-star hotels. Cape Town is leading in overall online reputation. Responding to reviews is only the beginning. These are findings of PwC´s study “Online reputations – why hotel reviews matter and how hotels respond”.

You can find the study “Online reputations – why hotel reviews matter and how hotels respond” here.

If you have any further questions please contact me.