Securing Property Management Systems

In recent years, criminals and other attackers have compromised the networks of several major hospitality companies, exposing personal information of guests. A hotel property management system (PMS) is a prime target for attackers as it manages the operations and holds valuable data.

Based on industry research and in collaboration with hospitality industry stakeholders, the NCCoE is proposing a solution to better secure Property Management Systems (PMS) and its connections within a hotel’s IT system that implements layers of security

Hotel operators rely on a property management system (PMS) for daily administrative tasks such as reservations, availability, pricing, occupancy management, check-in/out, guest profiles, guest preferences, report generation, planning, and record keeping which includes financials. The PMS connects with other applications such as the hotel point-of-sales (POS) and central reservation systems (CRS). Additionally, the PMS links to most of the other internal and external hospitality and business systems.
Status: Finalized Guidance

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-27: Complete Guide (HTML)Web Version NIST SP 1800-27: Complete Guide (HTML)
NIST SP 1800-27: Complete Guide (PDF)Web Version NIST SP 1800-27: Complete Guide (PDF)
NIST SP 1800-27A: Executive SummaryDocument Version NIST SP 1800-27A: Executive Summary
NIST SP 1800-27B: Approach, Architecture, and Security CharacteristicsDocument Version NIST SP 1800-27B: Approach, Architecture, and Security Characteristics

Project Abstract

Hotels have become targets for malicious actors wishing to exfiltrate sensitive data, deliver malware, or profit from undetected fraud. Property management systems, which are central to hotel operations, present attractive attack surfaces.

The NCCoE built a PMS reference design to demonstrate methods to improve the cybersecurity of a PMS. The PMS reference design included the PMS, a credit card payment platform, and a door key access control system. The principal capabilities of the reference design include protecting sensitive data, enforcing role-based access control, and monitoring for anomalies.

Aspects of zero trust architecture, moving target defense, tokenization of credit card data, and role-based authentication were demonstrated.

Read the project description

The value of the data in the Property Management System makes it a prime target for bad actors.

Learn More About Our Efforts

An unsecured or poorly secured property management systems could expose a hotel—and the larger hospitality organization of which the hotel is a part—to a significant and costly data breach. This video provides more information about this challenge and an overview of how the NCCoE’s efforts can support your hospitality organization. 

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name