10/08/2019 | News release | Distributed by Public on 10/08/2019 12:03
Hoteliers have a responsibility to ensure that their customer's personal data and payment information is handled properly and securely. Failure to do so can risk the exposure of that private data into the wrong hands, in the event of a system security breach. In order to reduce that risk and properly protect customer information, the Payment Card Industry Security Standards Council (also known as the PCI SSC) was established by five main credit companies: Visa, Mastercard, American Express, Discover and JCB.
The PCI SSC has mandated a minimum safety standard across the industry in regards to how payment information is captured, sent, processed and stored. This Payment Card Industry Data Security Standard (PCI DSS) was originally released in December 2004, and as of February 2018, PCI DSS 3.2 is the newest version that must be adopted by all organizations that process payment transactions.
Any organization that stores, processes or transmits cardholder data must adhere to the most current version of the PCI DSS, regardless of the size of their organization or transaction volume. This includes organizations who process payment transactions in person, over the phone or mail, or via ecommerce.
The standards are strict, but are designed to protect cardholders and their personal and financial information, as well as the organization that is processing the transactions.
The PCI DSS specifies twelve requirements, which are organized into six 'control objective' groups:
While each updated version of the PCI DSS has different sub-requirements under each of these control objectives, the twelve main requirements have not changed since the standard was initially launched, and are summarized below:
There are four levels of PCI Compliance based on an organization's annual transaction volume, as well as their level of risk (which is assessed by the payment brands, like Visa or Mastercard, who, in addition to the PCI DSS requirements, also each have their own compliance requirements as well).
If you accept or process payment cards, PCI DSS requirements apply to your organization. However, because smaller merchants often have simpler environments and potentially fewer systems at risk, their PCI DSS compliance requirements may be reduced and formal validation may not be mandatory. Compliance validation and reporting requirements specifically for smaller merchants will need to be confirmed by their merchant bank or the payment brand they work with (ie: Visa, Mastercard, etc.).
Non-compliance to the PCI DSS requirements may result in substantial financial penalties (ranging from $5,000 to $100,000 per month), which are applicable even to small merchants. But more importantly, non-compliance may mean an organization and its systems and customers are at a security risk, which could have even more substantial repercussions.
Following PCI DSS can help you to ensure your systems are and remain secure and protected.
Merchants can complete a Self-Assessment Questionnaire (SAQ) which is a self-validation tool to assess security for cardholder data. Additionally, it's important for hoteliers to work with PMS or Payment Solution tools which are already certified as PCI DSS compliant and who can provide an Attestation of Compliance (AOC).
Security is essential in today's sensitive breach environment. Keep your hotel PCI compliant and your guests safe with the RoomKeyPMS Payments solution. Contact our team today to book a demo and protect your hotel and guests.
Photo Credit: Rupixen on Unsplash