Hoteliers have a responsibility to ensure that their customer’s personal data and payment information is handled properly and securely. Failure to do so can risk the exposure of that private data into the wrong hands, in the event of a system security breach. In order to reduce that risk and properly protect customer information, the Payment Card Industry Security Standards Council (also known as the PCI SSC) was established by five main credit companies: Visa, Mastercard, American Express, Discover and JCB.
The PCI SSC has mandated a minimum safety standard across the industry in regards to how payment information is captured, sent, processed and stored. This Payment Card Industry Data Security Standard (PCI DSS) was originally released in December 2004, and as of February 2018, PCI DSS 3.2 is the newest version that must be adopted by all organizations that process payment transactions.
Does PCI DSS apply to you?
Any organization that stores, processes or transmits cardholder data must adhere to the most current version of the PCI DSS, regardless of the size of their organization or transaction volume. This includes organizations who process payment transactions in person, over the phone or mail, or via ecommerce.
The standards are strict, but are designed to protect cardholders and their personal and financial information, as well as the organization that is processing the transactions.
What are the specific requirements of the PCI DSS?
The PCI DSS specifies twelve requirements, which are organized into six “control objective” groups:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
While each updated version of the PCI DSS has different sub-requirements under each of these control objectives, the twelve main requirements have not changed since the standard was initially launched, and are summarized below:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
There are four levels of PCI Compliance based on an organization’s annual transaction volume, as well as their level of risk (which is assessed by the payment brands, like Visa or Mastercard, who, in addition to the PCI DSS requirements, also each have their own compliance requirements as well).
- Level 1 – Over 6 million transactions annually
- Level 2 – Between 1 and 6 million transactions annually
- Level 3 – Between 20,000 and 1 million transactions annually
- Level 4 – Less than 20,000 transactions annually
If you accept or process payment cards, PCI DSS requirements apply to your organization. However, because smaller merchants often have simpler environments and potentially fewer systems at risk, their PCI DSS compliance requirements may be reduced and formal validation may not be mandatory. Compliance validation and reporting requirements specifically for smaller merchants will need to be confirmed by their merchant bank or the payment brand they work with (ie: Visa, Mastercard, etc.).
What happens if an organization is non-compliant?
Non-compliance to the PCI DSS requirements may result in substantial financial penalties (ranging from $5,000 to $100,000 per month), which are applicable even to small merchants. But more importantly, non-compliance may mean an organization and its systems and customers are at a security risk, which could have even more substantial repercussions.
Following PCI DSS can help you to ensure your systems are and remain secure and protected.
How can you ensure your hotel is PCI DSS compliant?
Merchants can complete a Self-Assessment Questionnaire (SAQ) which is a self-validation tool to assess security for cardholder data. Additionally, it’s important for hoteliers to work with PMS or Payment Solution tools which are already certified as PCI DSS compliant and who can provide an Attestation of Compliance (AOC).
How can you learn more about PCI DSS requirements and compliance?
For more detailed information about PCI DSS and its requirements, visit the PCI Security Standards website for access to documentation and training, or download the current Quick Reference Guide.
Security is essential in today’s sensitive breach environment. Keep your hotel PCI compliant and your guests safe with the RoomKeyPMS Payments solution. Contact our team today to book a demo and protect your hotel and guests.
Photo Credit: Rupixen on Unsplash