The duo believes the industry needs to apply more urgency to adopting PCI DSS payment processing standards. By operating in a way that’s not fully compliant, hospitality operators put their valuable brand capital in jeopardy.
Security breaches are widespread, with hackers stealing card data to use elsewhere. This is a boardroom issue, with hotel owners needing to buy into compliance and see it not as an IT issue, but a business issue. If card data is taken and the situation snowballs, hotels will face fines. If news gets out, reputational damage and loss of revenue will result. Compared to this, the costs of PCI compliance are insignificant.
Whether they conduct a few payment processes or millions of transactions a year, all hospitality businesses must be compliant. Even if data is processed and stored manually, standards need to be adopted. In the case of a mid-to-large hotel, a myriad of systems accept card data. Prepayment bookings, call centres taking bookings with card data, and card data being used to guarantee a booking, where no charge is made unless there’s a no-show. All these touch-points must be PCI DSS compliant.
Then, once achieved, compliance has to be one of the cornerstones of the business. Just as a hotel wouldn’t dream of not cleaning rooms each day, so it needs to ensure its PCI DSS processes are being followed daily. And, those processes once in place need to be tested and recertified annually by an accredited QSA or via self-assessment, depending upon transaction volume.
All it needs is for someone unauthorised to be let into an area requiring a security pass or for a guest to send an email containing card data and there’s a problem. However, if it can be proved that staff followed QSA-agreed procedures, then the establishment is protected in case of a breach.
The hospitality industry needs to have complete focus on security breaches and brand security. Not only do operators risk fines if there is a security lapse but, more importantly, they risk devaluing their brand by putting customers at risk and, ultimately, losing the ability to take card payments. PCI DSS compliance protects more than card data; it protects the brand capital of a hospitality business built up over years if not decades, and what’s more important than that?
Agilysys (Europe) Limited provides specialised IT solutions to the hospitality sector, for hotels, restaurants, casinos, resorts, condominiums, cruise lines, sporting stadia, arenas, conference centres and tourist venues. Visit www.agilysyseurope.com
Servebase is a global, multi-channel payment processing provider, delivering secure card processing covering all payment environments, from single solutions to multi channel combinations of mail order, e-commerce and ‘customer present’ Chip and PIN. Visit www.servebase.com
Does PCI DSS apply to me?
PCI DSS applies to you if you are involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically;
What are the requirements?
• You must not use card and verification details for any purpose other than completing the card transaction.
• You must not pass card details onto anyone else, except for the purpose of helping them to complete the card transaction, ie. authorisation and/or settlement.
• You must not store the card security code (last three digits on signature strip
• You are only permitted to keep a separate record of the card number and expiry date if both of these conditions apply:
o You have the specific agreement of the card holder,
o You are only going to use this information to help with future transactions, such as recurring payments or new orders if further orders are likely.
• In short, you shouldn’t store card data if you don’t need to
It’s important to know the standards, as you may be storing cardholder information (such as receipts from terminals or emails that contain cardholder details) in a way that the standard does not allow. The standard is broken down into these sections:
• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management programme
• Regularly monitor and test networks
• Maintain an information security policy
# # #
Romain Consulting is a UK-based Marketing & Corporate Communications consultancy. Services including PR are delivered by a high-calibre, highly-experienced technology Marketer. Former Marketing Director of global group. Strategy, planning & execution. Full range of Communications & Product Marketing activities are available on a project or retained basis. Specialisms: