Customer Data Doesn't Go On Vacation: Managing Third-Party Tags in the Hospitality Industry

As the hospitality industry recovers from the challenges posed by the COVID-19 pandemic, global tourism has mostly returned to pre-pandemic levels, with many high-income regions seeing robust travel and hotel demand. This has forced hotel chains, restaurants, travel, and entertainment to adjust to shifting travel patterns including the resurgence of leisure travel and more seasonal demand which has complicated staffing and scheduling.

While the industry had already adopted digital tools during the pandemic to maintain safety, efficiency, and customer engagement, they continued their investment in digital platforms for improved revenue management, as data-driven tools enabled businesses to monitor changes to customer behavior and demand fluctuations to adjust pricing, staffing, and resource strategies accordingly. 

To support this digital transformation hospitality became more reliant on third-party services, from booking platforms to marketing and analytics tools. While these services bring undeniable benefits, they also come with hidden dangers, particularly in the form of third-party tags.

Third-party services, such as online booking engines, chatbots, customer review tools, and digital marketing solutions, have become essential to the modern website. These tools offer the ability to streamline operations, enhance customer experience, and provide valuable customer insights. However, this doesn’t come without risks.

The essentials of using third-party tags

In the hospitality industry, global companies like Marriott, Wyndham, Hilton, Intercontinental, Hyatt, Melia Hotels, Radisson, MGM, and Caesars use these third-party services to understand customer behavior, facilitate bookings, and help manage customer relationships. A hotel website might include a third-party booking system for their accommodations and social media share buttons. A restaurant chain usually features a third-party reservation form and review gatherer on its website. A travel agency adds a third-party tag to handle their car hire services online on their page and accept payments. These are just a few examples. 

The benefits of using third-party tags such as the ones listed above are numerous: increased customer visibility, improved customer engagement, and the ability to offer personalized experiences. Third-party services can also help businesses manage reviews, run targeted advertising campaigns, and analyze customer behavior to optimize product and service offerings.

What data is being collected on the client side?

The use of third-party scripts enables the collection of extensive data on the client side, often unknown to the end-user. These scripts can track a variety of information, including:

• User behavior: Information on how users interact with a website, including pages visited, time spent on each page, and actions taken (e.g., clicks, form submissions).

• Demographic information: Data such as age, gender, location, and language preferences, which can be used to tailor marketing efforts.

• Device and browser information: Details about the device and browser visitors use, which can inform website optimization efforts (including IP and MAC address).

• Purchase history: Records of user transactions, including items purchased, the amount spent, payment methods used, and payment data.

The dangers of third-party tags in the hospitality industry

While the collection of such data can offer numerous benefits, it also presents significant risks that businesses in the hospitality industry need to be aware of:

Analytics & Personalization Tags

Analytics and personalization tags include Google Analytics, Adobe Analytics, Hotjar, LogRocket, and Fullstory which are used to track user interactions on websites and apps. They help hotels understand customer preferences, booking patterns, and website navigation behavior, allowing for a personalized guest experience. Some of the above also replay sessions to identify and analyze drop-off points, but in the process collect sensitive user information which comes at a risk. For instance, by recording and replaying a payment session, these third-party tags may inadvertently record and store payment card data outside the Cardholder Data Environment (CDE), placing it in a non-PCI DSS-compliant environment. Additionally, other tags could collect credit card information beyond their intended scope or outside of PCI DSS compliance, raising security and regulatory concerns.

Marketing & Retargeting Tags

Marketing and retargeting tags from ad networks including Facebook Pixel, Google Ads, and TikTok, are commonly used to gather metrics and support marketing efforts, particularly for retargeting campaigns. These allow hospitality brands to reach out to guests who have previously interacted with their site but didn’t complete a booking, providing targeted offers and reminders. They’re also designed to collect an extensive set of guest data, including sensitive credit cards, rewards, check-in/check-out dates, passports, credentials, and booking reference information. This raises questions about what data is being accessed or shared by third-party tags, since to effectively retarget users, marketing tags will attempt to capture all data available on a page to identify the user. Therefore, it is crucial to establish clear policies on what data should be collected and ensure the protection of user privacy.

Customer Support & Chatbot Tags

Example support and chatbot scripts include LiveChat and Zendesk enabling customer service automation, allowing guests to receive assistance 24x7. AI-driven chatbots also use tags to record interactions to improve future interactions. To be effective chatbots must collect as much guest information as possible, which is often sensitive, and quite often outside of the intended form field. Hospitality companies must ensure these third-party tags are only allowing access to the forms and data necessary to support the support interaction. 

Know Your Customer (KYC) Tags

Example KYC solution providers include Jumio, Onfido, Trulioo, Authenteq, and Persona. KYC tags become important for luxury hotels, resorts, and rental properties where verifying identity is important. They’re also used for payment security, regulatory compliance, and guest personalization and loyalty. However, there are potential risks associated with this use. To complete the authentication process, some tags may collect sensitive information, such as passport numbers, driver’s license numbers, and photos. Proper safeguards are necessary to ensure that only the required data is collected and securely handled to protect user privacy.

Booking & Payment Processing Tags

Examples of booking engines (like Sabre and Amadeus) and payment gateways (like Stripe and PayPal) as well as buy now pay later (BNPL) services like Afterpay and Klarna, ensure guests have seamless, secure booking and payment experiences including the ability to support real-time pricing adjustments.  However, these third-party tags are vulnerable to tampering by other scripts, which may manipulate the payment process or introduce malicious changes to the page. This poses significant risks, including the potential for attackers to steal user credentials or disrupt the payment flow, emphasizing the need for robust security measures to protect transaction integrity. In addition, all hospitality companies that process credit card transactions must comply with PCI DSS.  Effective March 31, 2025 merchants must comply with new requirements 6.4.3 and 11.6.1. These new requirements intend to protect merchants including hospitality from digital skimming attacks, a continued and growing threat to hospitality websites. 

Tag Managers 

Google Tag Manager and Adobe Launch are tag management systems (TMS) that offer a convenient way to embed tags on a website without needing direct involvement from the development team. These applications allow non-technical teams, such as marketing, digital, or the business, to add scripts independently, which can be resource-efficient and straightforward. However, this ease of access can introduce security risks, as scripts may be added without adhering to the company’s security policies, potentially exposing the site to third-party data risks.

Mitigating third-party tag risks

To mitigate the risks mentioned above, businesses in the hospitality industry must take a proactive approach that balances security with customer-centricity. Here is some guidance:

• Audit third-party tags regularly: Regularly review and audit third-party scripts in use to ensure they are necessary, secure, and compliant with current policies.

• Implement strong data management: Establish clear policies outlining how data is accessed, collected, used, and protected. Ensure that third-party services adhere to these policies.

• Educate hospitality guests: Be transparent with guests about data collection practices. Clearly explain what data is being collected, and how it is used, and give them control over their data.

• Opt for privacy-focused third-party tag solutions: Consider using third-party services that prioritize privacy and security while enabling businesses to run and innovate. Opt for services that are transparent about their data practices and are compliant with standards and regulations.

Comprehensive control with security and compliance expertise 

The hospitality industry’s reliance on third-party online services is a double-edged sword. While these services offer essential capabilities to improve guest experiences, manage revenue, and coordinate resource demand in a post-pandemic world, they also introduce data privacy, security, and customer trust risks. By understanding the potential dangers and taking steps to mitigate them, businesses can harness the benefits of third-party scripts while protecting themselves and their customers from harm. 

The crucial question becomes…How can hospitality providers effectively protect guest data while continuing to innovate?

When evaluating security solutions to meet these needs, every hospitality provider should consider a client-side protection solution based on the following criteria:

1. Comprehensive platform

• First-party data encryption and protection

The platform should enable state-of-the-art data protection for all guest information collected throughout the customer journey, from reservation to checkout.

• Fine-grained control over third-party vendors

The platform should offer consistent, fine-grained visibility and control over the behavior and data usage of all third-party services and software integrated into the hospitality ecosystem.

2. Flexible hybrid deployment 

Given how a hospitality provider may have a lot of domains, login pages, and payment pages that collect personal data, it is essential to choose a provider that has flexible deployment options with a convenient dashboard that aggregates data in one place. 

With the PCI DSS v4 compliance deadline approaching, it is worth checking whether a potential compliance provider can help you quickly bring many payment pages into compliance with a deployment option that doesn’t require configuration. That can significantly make your life easier and remove the need to get approval from various stakeholders or allocate additional team resources to manage the new solution. 

3. Peak season performance

The platform selected must also be capable of scaling up to support the largest and most demanding operations without causing any slowdown or disruption to the guest experience, particularly during peak seasons like holidays or large events.

Given the hospitality industry's seasonal fluctuations, it's crucial that the solution can scale up or down based on operational needs.

4. Comprehensive data security and compliance policies

A key feature should also be its ability to support the development of a centralized security policy by all involved teams (e.g., operations, IT, guest services, marketing, governance, risk, and compliance). This policy should encompass all client-side risks and regulatory compliance requirements, such as PCI DSS v4 compliance. It should offer assessment-ready reports for Qualified Security Assessors (QSAs). 

5. Client-side & PCI DSS expertise

Client-side protection and compliance vendors should possess years of expertise in protecting JavaScript, with deep knowledge in guiding organizations through PCI DSS compliance. For third-party services, skilled consultants should be available to assist in setting up the best risk mitigation strategies, including data access controls. A fully managed service should also be an option if desired. A vendor with the right level of expertise will empower business operations while fostering customer trust. 

In conclusion, it can be said that by adopting a proactive approach to security, hospitality companies can strengthen their defenses against evolving threats, ensuring a safer, more secure, and trusted guest experience.

The third-party tags, or the vast majority of them, serve a purpose and support the business, and thus cannot be removed. Nor should they be. By monitoring them and understanding the job of each tag or script, businesses can better control them and keep their digital platforms safe for their customers.

This is where Jscrambler can help, with a client-side protection and compliance platform that mitigates third-party tag risks while ensuring compliance with the new anti-skimming requirements in PCI DSS v4. With Jscrambler, businesses not only adopt a unified, fine-grained client-side security approach but also gain access to the top PCI DSS experts in the industry that accelerates compliance ahead of the impending March 31, 2025 deadline. Book a demo to see Jscrambler’s solution in action today.